On July 30th, the second largest decentralized exchange (DEX) Curve Finance, which boasts a total value locked (TVL) of over $2 billion, fell victim to a hack for over $70 million, mitigated to approximately $50 million thanks to white hackers and MEV searchers. Attackers perpetrated a re-entrancy attack exploiting a vulnerability in Vyper, a third-party programming language for Ethereum smart contracts used by a few Curve pools.

While the incident's resolution is still ongoing and potential ramifications remain, it already elicits some considerations.

1/ Diversification of Price Feed Oracles

The first notable thing about this hack is the role of Chainlink in maintaining price stability across DeFi protocols.

As the hacker drained CRV tokens from Curve's pools and could have triggered a large sell-off, the CRV price on Curve plummeted, resulting in a lack of liquidity. Had other DEXs and DeFi protocols like Aave solely relied on Curve for CRV price feeds, they would have reflected the new heavily discounted price. This could have triggered an almost-immediate domino effect across DeFi, with depositors, LPs, lenders, and other DeFi stakeholders removing their liquidity, swapping their CRV, and closing their positions for contagion fear. While a contagion and a wave of liquidations are still possible, the worst scenario (an immediate chain reaction of liquidations, impossibility to liquidate, and bad debt) was averted thanks to Chainlink’s oracles network. These nodes, forming a decentralized network, rely on a mix of both CEXs and DEXs and both on and off-chain sources for their price feeds, which helped DeFi protocols maintain the CRV price stable while it was tanking on Curve.

This episode highlights the importance of diversification, even when it includes off-chain and centralized sources. The crypto industry should strive for diversification to maximize resilience.

2/ Bounties for MEV Searcher Bots

The second noteworthy takeaway is the role of MEV searcher bots, which have actively thwarted hacks on Curve by front-running hackers’ transactions, producing the largest MEV block rewards in Ethereum’s history. Remarkably, some of these funds were ultimately returned to Curve, highlighting an exciting new application of beneficial MEV utilization, alongside existing practices like arbitrage and liquidations. The most notable example is c0ffeebabe.eth, who frontrun hackers and returned around 2,800 ETH (~ $5.4 million) to Curve. While this time the frontrun happened spontaneously due to inherent economic incentives - the MEV searcher bot came across an opportunity and seized it regardless of its nature - in the future, protocols could proactively incentivize MEV searchers by offering bounties for identifying and thwarting attacks – akin to hiring a private security firm to prevent thefts.

3/ Permissionless Access, Composability, and Decentralization

The inherent strengths of crypto networks – permissionless access and composability – also introduce vulnerabilities. The permissionless nature and open source code enabled hackers to identify and exploit the Vyper vulnerability, while composability across DeFi protocols poses the risk of a domino effect. Specifically, the widespread acceptance of CRV as collateral by various DeFi protocols has unlocked massive liquidity and profit opportunities in the past years, but may now cause a cascading wave of liquidations. Aave v2, for instance, is heavily exposed to Curve founder Micheal Egorov’s massive and well-known borrow position, a $70 million loan collateralized by 33% of the CRV total circulating supply. Gauntlet has previously advised Aave to rely less on CRV due to its shallow liquidity and concentration risk. Egorov’s liquidation price on Aave v2 is $0.376 per CRV. Should the hacker attempt to mass sell the stolen CRV (about 8% of the total supply), the price would further drop, and likely go below the liquidation price. This would be potentially catastrophic, because the massive collateral used by Egorov, combined with the high concentration of CRV, results in a general lack of CRV liquidity in the rest of the ecosystem, which would make it very hard, if not impossible, for Aave to liquidate the loan (because no liquidator could sell those CRV without tanking the price), generating bad debt for the protocol.

While the ecosystem, made of many honest developers and stakeholders, managed to control the damage, every time one of these crises unfolds, we get to discover unsettling truths that have always been under our scrutiny, but always largely ignored. In this case, the second-largest DEX founder holds almost half of the token’s total circulating supply. This is not ok for a self-proclaimed decentralized protocol, and it’s a major red flag that only a few have pointed out. The unique feature of DeFi, which distinguishes it from traditional finance and arguably makes it better, is the transparency and permissionless access, meaning anyone can monitor in real-time the state of each protocol and each participant’s position. We need to get better at overseeing and reporting vulnerabilities and dangerous situations, and better at designing safeguards and mechanisms that protect honest participants and their funds. We need to give more voice to teams like Gauntlet.