$1.5 Billion Withdrawn From DeFi Following Curve, BALD And Base Hacks
The decentralized finance market faced dual upheavals last weekend, leaving it feeling uneasy. Namely, both Curve Finance, a leading automated market maker, and Base, Coinbase’s
COIN
Meanwhile, the early stage exchange associated with Base, called LeetSwap, saw a vulnerability exploited to drain more than $635,948 worth of Ethereum-based tokens. The close proximity of these attacks, following a weekend with more than $50 million in unexpected DeFi activity, served as a stark reminder of the risks associated with DeFi.
Curve Finance Exploits
Curve Finance suffered an exploit of around $62 million on July 30, according to TechCrunch. It was a result of a vulnerability in the smart contract language, Vyper, that some parts of Curve were written in. Specifically, it was a reentrancy attack, where a malicious contract function calls another contract multiple times before the first call is completed. This action is done in order to exploit and thus drain funds in a contract.
Curve uses liquidity pools, instead of matching buyers and sellers to conduct swaps. These pools hold tokens that can be exchanged or withdrawn based on rates set by the pool. Each holds a pair of assets, so a user exchanging A for B would go to A/B pool – a pair pool is necessary to maintain pricing.
Curve pools using vulnerable versions of Vyper were affected. Because Curve pools are permissionless to deploy, several project pools affected, i.e. Alchemix lost $13.6 million and Metronome lost $1.6 million.
As all of this transpired, Curve’s utility token, CRV
CRV
Michael Egorov’s Pending Liquidations
By the morning of August 1, the market valuation of CRV had plummeted 46%. To add fuel to the fire, turns out that Curve founder Michael Egorov had already taken out a series of hefty loans against his CRV holding.
Some of the estimated loan positions:
- $70 million (47% of CRV circulating supply) used to take out a USDT
stablecoin loan from Aave, a leading DeFi lending protocol.
USDT
- $32 million CRV to borrow $10 million of FRAX
on Fraxlend.
FRAX
- $17 million CRV loan on Abracadabra. In response, the protocol proposed to increase interest rates to manage risk from its CRV exposure.
Widespread market fear ensued because, if the price of CRV dips below a certain threshold set by Aave
AAVE
Egorov hastily started selling his LDO
LDO
USDC
A few entities stepped in to help — Justin Sun, founder of Tron, purchased $5 million worth of CRV from Egorov in an over-the-counter transaction. Several other buyers, including the operators behind protocols like Yearn, participated as well. It remains to be seen if all this effort can truly shield Egorov and the resulting chain of events that would have a ripple effect across the entire DeFi ecosystem. Of course, it raises the question of how decentralized these platforms are if individual choices can make or break their functionality.
BALD, Base And Brash
Memecoin culture, with cryptocurrencies launched to represent jokes or memes, still holds a strong sway in the crypto ecosystem even though the hype surrounding these tokenized jokes is often short-lived and highly risky. A few days before the Curve exploit, on July 29, an anonymous developer launched BALD, a memecoin referencing the fact that Coinbase CEO Brian Armstrong is bald, was launched on Coinbase’s rollup built on the OP Stack. Currently, Base is on testnet and not fully live, so it only supports a one-way bridge. In short, it’s still extremely risky to use the experimental software and most people can only put money onto the platform. It’s not possible to cash out at scale.
Regardless, the BALD price jumped 40,000% within 48 hours and eventually about $80 million in value was bridged to the Base blockchain.
As the market crazed over BALD, on July 30, the memecoin deployer, who provided the token’s initial liquidity by adding his own ether via LeetSwap, managed to pull $12.5 million in liquidity off the exchange. The price of BALD immediately crashed, leaving the LeetSwap pool barren.
Then, to make matters worse, on July 31, LeetSwap suffered an exploit that led to it pausing trading activity. The attacker took advantage of a smart contract function and was able to manipulate the price of an asset and subsequently drain the pool. In this attack, about $630,000 was compromised. The following day, the team announced that it was working with white hats to retrieve funds stuck in pools that the hacker had not accessed and retrieved about 197 ETH. They also extended an olive branch deal with the exploiter, which was ignored.
When that market crash coincided with the above-mentioned and unconnected exploits, the deployer tweeted a brazen message that he will add modest liquidity to other DEXs but reserves the right to profit from the memecoin however he choses, adding “if you still decide to trade this token you will probably lose all your money.”
This action incited a community-wide investigation into the developer to understand their history and some intriguing wallet activity surfaced. Namely, the deployer was an early participant in the DeFi experiment SushiSwap and also clearly had a connection to a wallet affiliated with Sam Bankman-Fried’s company Alameda Research. However, astute observers keep in mind that many people had accounts that interacted with Alameda Research wallets and the affiliated FTX exchange.
In short, the BALD developer was among the numerous crypto traders who interacted with Alameda, the entity associated partnered with the FTX collapse. No concrete evidence has been confirmed in relation to the BALD deployer’s identity.
LeetSwap Proves Another DeFi Lesson About Risk
Though the Curve exploit was relatively small compared to previous DeFi hacks, the bigger concern lies in the founder’s ability to utilize 47% of circulating CRV for personal loans. Egorov’s account and activity was flagged before, yet no action was taken by the community. If these assets were to be liquidated, it would pose a threat to a number of DeFi protocols, which would cause a larger implosion than the initial exploit. The incident highlights the ongoing issues of centralization, overexposure, and dependencies on central points of failure, individual people. As was the case with both the BALD deployer and Egorov’s situation, large liquidity movements can jar literally everyone else using a particular open source protocol.
Regarding the Vyper attack, a post-mortem by the security research firm OtterSec noted that the bug had been patched in the past. But since security practices and processes are not all fleshed out, there was likely a failure in checking dependencies still left open after the initial bug patch. A team that is liable for staying up-to-date with security measures and how it might implicitly impact projects might have helped mitigate this risk. This conclusion led to a call to improve code review processes across the board. Public goods funding and bounties could help protect codebases as well.
On the other hand, LeetSwap was exploited due to a minor error, but neither the exploit nor the BALD rugpull will ultimately really define Base’s success. It is still a highly anticipated L2 even though it will likely stay volume poor for a bit before its live for all users.
All things considered, the tale of BALD is as old as time – speculation pumps the token, only to crash as early holders exit, similar to the PEPE
PEPE