Curve Unwinds Millions Of Dollars Of Risk At 70 Cents On The Dollar

Over the course of several hours, Curve Finance, a major decentralized finance platform, was the subject of an exploit resulting in the theft of over $70M and is now attempting to recover, stabilize and stave off potential liquidation risks.

Although the overall DeFi market is not new to such attacks, the incident against a well-established protocol had the effect of shaking confidence in the emerging industry, despite most of the stolen funds being returned. Potentially a contagion, the attack introduced the possibility of instability in assets loaned out collateralized against the stolen funds. As we speak, the potential ripple effects are causing actions to be taken to avoid liquidations.

The attack relied on a vulnerability in older versions of the Vyper programming language, a language used to code the smart contracts, and software that is used to convert human code to machine code known as a compiler. The assault targeted crypto assets in pools or vaults, roughly analogous to bank accounts that hold two or more assets in ratios to each other. Each pool allows investors to deposit assets and traders to swap between those assets, generating yield for the investor sourced from trading fees. Investors that make deposit assets receive tokens as receipts, which in turn could be traded or collateralized elsewhere.

Although the loss alone would be a significant setback for Curve Finance, its co-founder Michael Egorov’s collateralized debt positions of over $90M fell at risk of liquidation as the value of the collateral declined sharply and liquidity for the collateral also tightened. The risk of liquidation has forced Egorov to deleverage and sell assets over-the-counter at approximately 67 cents on the dollar with lock-up periods to buyers like StakeDAO inorder to backstop a forced liquidation on positions held at a number of lending platforms like Aave
AAVE
, Abracadabra, Inverse and Fraxlend.

Curve Finance provides a vital financial function of allowing trades, also known as swaps, between stablecoins. Most stablecoins attempt to maintain a value on par with the US dollar, while a smaller number peg to other fiat currencies. However, risk, market confidence, level of utility and other factors can cause changes in the demand for any given stablecoin necessitating the desire to move from one to another, despite the fact that the swapped pair both peg to the same fiat value.

The vulnerability was first announced by @vyperlang on Twitter July 31st around 1PM EST and within a few hours exploitation of the vulnerability began to unfold against Curve Finance. Due to the autonomous nature of the pools, trading could not be halted and draining of the funds continued for several hours across several pools. CRV
CRV
traded as high as nearly $5 in 2022 and $1.30 this year, thus already requiring liquidity management by the Curve Finance team.

The CRV token, initially trading at around 73 cents, plummeted to as low as 50 cents, losing close to 30% of its value and setting off liquidation warning bells, before recovering to around 62 cents at the time of this writing.

Egorov, believed to be the largest holder of CRV, used the token as collateral to borrow USDT
USDT
, DOLA, MIM and other tokens. Much like how the current ratio is used in accounting to compare the relationship between current liabilities and assets of a company, Egorov’s ratio of collateral to assets borrowed plummeted close to liquidation trigger points at 2x and have since recovered to a healthier 4x. Had liquidations occurred, anywhere below 1.5x, the systemic impact to the DeFi ecosystem and losses could have been greater than the original theft.

Although most of the funds have been returned, either by white hackers or the original hacker who was offered a 10% award, the focus is now on how a relatively minor technical oversight can cause significant economic impacts. Normally, smart contracts are vetted by independent auditors. However, in this case the vulnerability existed at a deeper technical level, a level that typically involves a different set of engineers than smart contract developers or auditors often delve into.

While the proponents of DeFi mark this incident as an opportunity to improve resilience and have demonstrated the power of the DeFi community to come together to shore together stability, the wider public may see this as another sign of caution.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *