As you know Curve Finance has had several problems in the last few days. The worst seems to be over, however let's see what happened, also to better understand the risks of DeFi. On July 30, 2023, a hacker exploited the vulnerability of some Curve pools, programmed in the Vyper programming language via a reentrancy lock mechanism. Basically a reentrant lock is a mutual exclusion mechanism that allows threads to reenter into a lock on a resource (multiple times) without a deadlock situation. A thread entering into the lock increases the hold count by one every time. Similarly, the hold count decreases when unlock is requested. Through this weakness, the hacker was able to drain a portion of the $69M from different pools of Curve:
CRV/ETH (about 30M$)
alETH/ETH (20.5M$)
pETH/ETH (11.5M$)
msETH/ETH ($1.6M via a frontrun attack through a MEV Bot by a second attacker but then the money was returned)
In addition to causing numerous liquid versions of ETH to lose their peg, this has also greatly reduced the liquidity of the first-ever pool of the CRV token (CRV/ETH). Obviously, this liquidity drain, in addition to creating problems for the liquidity providers and DAOs that have supplied assets to these pools, has also greatly reduced the liquidity of the asset Curve. The exploit involved projects such as the decentralized exchange Ellipsis, the lending platforms Alchemix & JPEG'd and the synthetic protocol Metronome, which have seen millions of dollars of assets stolen from liquidity pools. Besides Curve Finance, of course. The problem has been solved, final code not vulnerable:
set_reentrancy_key_position is now correctly invoked for any type_item that is nonreentrant will correctly use the same storage_slot whenever the same key is specified in a @nonreentrant(<key>) decorator. For more info: Vyper Nonreentrancy Lock Vulnerability Technical Post-Mortem Report
POOR LIQUIDITY
Poor liquidity for large purchases means not being able to sell/buy the asset and very high slippage ("price impact is too high").
Let's assume that the CRV/ETH pool had $30M in it (15M CRV and 15M ETH). In normal conditions if you want to buy 5M of CRV you can do it. After the exchange, the pool would host $10M of CRV and $20M of ETH. If a pool is drained instead, low liquidity makes trading difficult/impossible.
At this point, anyone wishing to exchange these two assets should use smaller sizes, or opt for another pool. The second largest pool in terms of TVL is the one created on Uniswap, i.e. CRV/ETH 0.3% ($2.2M). This lack of liquidity in the major pools that allow the exchange of CRV creates a major problem for the CRV token. It has become a very illiquid asset on-chain and therefore cannot be bought or sold in large quantities.
After the exploit and the hacker's liquidity drain, many people were afraid that this could also happen in other Curve pools, thus going to withdraw a large part of the liquidity on the protocol. Overall TVL lost 50% of overall liquidity. All this then spread in a similar way to the various Curve boosters, namely Convex, Yearn Finance, StakeDAO.
CRV DUMP
All this distrust has consequently led the tokens of the various protocols, especially $CRV, to have massive sales on the market. This caused the price to fall from an initial value of $0.70 to below $0.50, a decrease of about 35%.
Another issue to consider is that most AMMs have a liquidity mining program for anyone who decides to provide liquidity to the platform.
Curve decides every two weeks to issue 100,000 CRVs on the market and to allocate them to different pools of its platform. Obviously, whoever receives more tokens will have greater incentives and thus increase the possibility of attracting more TVL into the pools, which will inevitably lead to more trades due to a reduced presence of slippage.
This is what kicks off the bribing mechanism, through veCRV which allows you to decide which pool to allocate the largest amount of tokens to for the next two weeks. This makes you understand how the price of CRV is very important because by providing the usual rewards in quantitative terms, liquidity providers will be paid much less (because CRV is worth less).
LOAN FROM MICHAEL EGOROV (CURVE CEO)
Complicating this whole affair is the enormous debt of Curve CEO Michael Egorov ( Egorov Address Etherscan ), who owns a very large amount of CRV. Not being able to dump them on the market, he decided a few years ago to collateralize them on the main lending protocols:
AAVE ($55M debt)
Fraxlend($10M debt)
Abracadabra (12M$ debt)
Inverse Finance ($7M of debt)
Total: around $85M of debt in stablecoins. If the price of CRV reaches a level between $0.4 and $0.37, it would cause a large part of its positions to be sold to the market, triggering its liquidation. In general the CRV collateral would be sold on the market to repay the debt while keeping the platform solvent.
The various lending platforms would benefit by earning a part of its loss.
However, the liquidity of the pool mostly used by these protocols to liquidate, and therefore convert CRV into ETH or stable assets, has been drained. This makes CRV an illiquid token; as a result, if there were a large token dump, these platforms would not have a counterparty to repay the debt as they would have to create bad debt.
The fact that Aave or other lending platforms can give their users the possibility to collateralize large positions through assets that can become illiquid is a problem. This could lead to the debt not being repaid, forcing the platform itself to use part of its treasury/emergency fund.
In the absence of this fund, however, the platform will have to take on this bad debt and therefore users would lose part of the liquidity deposited.
HOW THE LENDING PLATFORMS INVOLVED WORK
The various lending protocols involved have taken precautions to force Michael Egorov to repay the debt. Platforms like Fraxlend hedge against these cases by using an interest rate increase method called the "Time-Weighted Variable Interest Rate". Essentially, this mechanism doubles the interest on borrowed debt every 12 hours if the market's utilization rate remains 100%.
It is very likely that due to the distrust of this position and the illiquidity of the CRV token, not many people will put any liquidity into Fraxlend. In this way Michael Egorov will have to repay his debt, otherwise the interest will double every day until it almost exceeds the equivalent value of the collateral, triggering the liquidation anyway.
Platforms like Abracadabra, on the other hand, do not have this mechanism of exponential increase in the interest rate.
Inverse Finance, unlike the previously seen lending platforms, adopts a fixed rate. It therefore appears to be opting for a solution that involves the borrowing entity depositing more collateral. In this way, the repayment period of the debt can be increased, while maintaining the usual interest rate.
In all this, AAVE is thinking of a series of proposals that could force Michael Egorov to repay the debt.
HOW THE DEBTOR EGOROV BEHAVED
The first thing Michael did, as CEO of Curve, was to create a pool on the protocol he created, composed of the stablecoin crvUSD and CRV/FRAX LP. All of this was encouraged with 100k CRV as a reward.
The objective of creating this pool is to incentivize the collection of liquidity towards Fraxlend. In this way, the utilization rate of the debt position of the lending platform would be lowered.
Within hours of launching, the pool filled by approximately $2 million, effectively reducing the utilization rate of the position on FRAX to 89% and not allowing the interest rate to double every 12 hours. The other move made by Michael was to sell CRV via OTC (over-the-counter) sell, i.e. through off-chain agreements. This does not move the CRV price down. Currently there are dozens of investors and the number of CRV sold amounts to 59.5M, including Justin Sun, the treasure of Yearn Finance, Wintermute, Cream Finance, DWF Labs.
However, the dynamics or constraints that oblige buyers to hold CRV tokens for a certain period of time are not clear.
According to the rumors that have emerged, the obligation is to keep the CRV tokens for at least 6 months, or until the price doubles compared to the purchase price, thus reaching $0.8.
With part of the capital raised, it seems that Egorov is repaying the various lending platforms, starting with Aave with a "repay" of around $3M.
In addition to this, it seems that there is also a proposal from one of Aave's first investors to buy a part of CRV. This would avoid the black swan and at the same time Aave would increase the power of the DAO against Curve.
RETURN OF FUNDS
One of the hackers started returning the stolen funds, around 5500 ETH. In return, the hacker received a bounty of 610 ETH (10% of the total stolen). The confirmations come from JPEG'd a lending protocol that lost $11.6 million from this attack.
The team said the funds were returned to the JPEG'd wallet address acting as a treasury.
"Any further investigation or legal issue against the entity will be terminated. We view this incident as a white-hat rescue" said the JPEG'd team.
On August 3, Curve, Metronome and Alchemix jointly announced an initiative to recover the stolen funds, offering hackers a 10% bounty and no legal action if they returned the remaining 90% of the funds.
In less than 24 hours, the hacker apparently agreed to the deal and gradually began returning the stolen funds to the various projects.
In addition to JPEG'd, the hackers returned 4,820.55 Alchemix ETH (alETH) to the Alchemix Finance team and some ETH to the Curve Finance team.
__________________________________________________________________________________
MISSED THE ARKHAM AIRDROP? TIP OF THE MONTH
Arkham airdrop was from a few thousand dollars to hundreds of thousands of dollars. It was enough to register an email and then the address. Basically, these are intra-chain analysis and intelligence sites (tracking of on-chain movements). Two other similar sites have opened whitelists where you just need to enter your email. Someone is hinting that they could perform an airdrop like Arkham so I suggest you sign up by entering your email:
Velodata (Whitelist, Only Mail)
Are you interested in ways to earn crypto bonus? Check it out here: Some Sites To Earn Crypto Bonus (Old & New)
