What happened this week in the Crypto markets?
Written by Katie Talati, Head of Research of Arca
An uneventful summer…but not for Defi
While we are in the part of the year where everyone is on vacation and markets have little news and even less price action, DeFi experienced a set of events that made everyone wake up from their naps on the beach and pay attention.
Not Another Hack
Last week started with yet another DeFi hack (I lost count of what hack we were at after 7), however, this one struck at the core of DeFi - the stableswap decentralized exchange, Curve.
A quick primer for those not familiar with Curve, it's a token within DeFi. Curve launched in 2020 as a way for users to swap in and out of stablecoins (dollar-pegged assets) or any other in-kind assets at ultra-low fees (users are charged 0.01% on swap trades) using the Automated Market Maker (AMM) model, which creates pools that contain 2 assets that trade against each other. The AMM model has so far been the most successful on-chain trading mechanism because it prevents front-running on trades and does not rely on external price oracles for execution. Curve realized that stablecoins would need their own trading venue as new stablecoins came to market - particularly algorithmic stablecoins (stablecoins not backed by dollar assets) - and needed a venue for liquidity to proliferate usage. Curve, therefore, shaped the business model of its token, CRV, around this demand for liquidity. CRV is a governance token, similar to many seen on other DeFi protocols, that offers the ability to vote on governance initiatives and can earn additional tokens through participating in the protocol (i.e. yield farming). CRV token holders can vote biweekly on which stablecoin pools to direct the next batch of CRV emissions. Since liquidity is an important aspect of a new stablecoin, control over CRV emissions became integral to any new stablecoin’s launch strategy.
The workflow looked a little like this:
- DeFi protocol launches a new stablecoin called MONEY.
- DeFi protocol acquires a large number of CRV tokens and participates in governance vote to direct new CRV emissions towards the pool with MONEY and USDT.
- Yield farmers add liquidity to the MONEY/USDT pool, but because MONEY is a new stablecoin, there isn’t any available on the market so farmers have to go and mint new MONEY in order to add to these pools.
The end result is that yield farmers make a lot of money off CRV emissions, and the DeFi protocol behind MONEY has grown the size of its new stablecoin market cap and ended up with deeper liquidity. (We won’t dive in today on how this isn’t a sustainable model and MONEY will need real-world use cases to continue being relevant).
Curve’s model and AMM created and grew a number of businesses in DeFi including algorithmic stablecoins such as FRAX, Convex, Yearn Finance, and many more. As a result, Curve is considered one of the “building blocks or legos” within DeFi alongside Uniswap, MakerDao, and Aave, and has become a critical piece of infrastructure.
Now that we have some background, let’s shift back to last week.
Last Sunday morning, reports started surfacing of a vulnerability in Vyper (the coding language for smart contracts using the Ethereum Virtual Machine) that a hacker actively exploited. Vyper is used in a number of DeFi protocol smart contracts, most notably Curve, and the vulnerability allowed for a “reentrancy attack”, which is essentially when someone can trick a smart contract into executing a function (such as “withdraw assets from xx”) multiple times.
The hacker worked quickly and managed to exploit and drain funds from JPEGD ($11.4M), Alchemix ($13.6M) and Curve ($61m). As DeFi protocols scrambled to assess if their platforms were impacted, a group of “white hat” hackers stepped in to minimize the damage, draining pools on Curve using the newly found exploit and returning these funds to their rightful owners. It was an impressive feat and a real testament to the power of the crypto community. The hacker still managed to steal $61M in assets of Curve’s total $3.2B in TVL. Furthermore, since everything in crypto is on-chain, most users knew about the hack and were able to withdraw their assets preventing more damage within the first 24 hours.
Chain Reaction (No Pun Intended)
Despite damage control from the community, other unintended consequences of the hack put Curve and many other DeFi protocols at risk. In order to understand the continued risk, we need to provide some background on Curve’s founder, Michael Egorov.
After launching the Curve protocol in 2020, Egorov, himself, participated in the early yield farming of the Curve token when rewards emissions were at their highest rate. As a result, Egorov managed to amass 44% of the CRV token supply, which prior to last Sunday’s hack, was worth about $283m. However, Egorov faced a big problem: because CRV’s biggest use case is voting in governance, which requires CRV tokens to be locked up for a specified amount of time, the CRV token never developed much liquidity making it difficult to buy and sell on the secondary exchange market.
As a newly minted millionaire, Egorov did what any rich person would do and he used his illiquid assets as collateral for a loan so he could pay his everyday expenses. He initially took out a small loan on the decentralized lend/borrow protocol Aave in November 2020
after putting forth a governance proposal for Aave to accept CRV as collateral against borrows. The initial loan was worth ~$2M in early 2021 but has since ballooned.
Over time, Egorov took out additional loans on other DeFi platforms including Fraxlend, Abracadabra, and Inverse Finance. The main risk with these loans is the illiquidity of CRV’s token, which means that if Egorov defaults on his loan, Aave is stuck with a bag of illiquid CRV tokens that they must then sell in order to make lenders whole. A few months ago, it was revealed that Egorov and his wife purchased a $40m mansion, presumably with his borrowed funds.
You may have heard about this loan before since on a number of prior occasions, users have attempted to stop out Egorov’s loan by manipulating the price of CRV downward. However, this has not happened and every time this loan comes up, the crypto community collectively FUDs it. But in the end, the loan is never liquidated and Egorov is able to top up collateral or pay down some of the debts and the crypto community collectively supports this action since they realize all the damage liquidating this loan could cause.
Now on Sunday, following the exploit which included CRV tokens, CRV’s price began to decline, endangering Egorov’s loans once again. If these loans were liquidated, it would further hurt the price of CRV and leave the protocols such as Aave and Fraxlend, with a lot of bad debt as explained above. His $10M loan on Fraxlend was particularly problematic since the protocol automatically increases the interest rate on loan pools that are near 100% utilization every 12 hours in order to incentivize borrowers to top up collateral or pay down a loan. Essentially, the Fraxlend mechanics would have caused a liquidation without the price of CRV changing within a few days, leading to more panic within the market.
As Egorov attempted to top up collateral on these loans, a number of market participants started pulling liquidity in an attempt to stop out the loan and cause a liquidation. Egorov then got creative, spinning up
a Curve pool to exchange fFrax and crvUSD with 100K in CRV rewards, essentially allowing users to deposit stablecoins and take on fFrax (a tokenized representation of one of his debt positions) and earn CRV rewards in exchange (at one point APY on this pool was over 11,000%). The pool only made a slight difference in helping to pay down the debt on Fraxlend.
Source: Trading View
Just as the market was preparing for cascading liquidations, news leaked
early Tuesday that Egorov sold some of his CRV holdings over-the-counter at around $0.40 to crypto-native investors in order to pay down some of his debt. Since then, he has done multiple deals selling 106M in CRV tokens for about $40m in stablecoins to DeFi investors and protocols such as Gnosis Chain, Reserve Protocol, DFW labs, market-maker Wintermute, Justin Sun, DCF God and others.
Following this news, Abracadabra and Aave saw the release of governance proposals covering the risk management of Egorov’s loans. In Abracadabra’s case, the proposal suggested raising
the interest rate on CRV loans to 200% in order to reduce risk to the protocol. The financial risk assessment group, Gauntlet, proposed limiting the amount of CRV
that could be deposited as collateral to the Aave community. Both proposals are short-sighted and have the potential to backfire if Egorov is unable to meet a higher interest rate or is unable to top up his collateral, which could quickly lead to a default. Fraxlend, the protocol that adjusts interest rates based on liquidation level, uses a much more objective and systematic method for reducing risk on a protocol in certain conditions. Both proposals were thankfully voted down and the projects have backtracked on these stances with Abracadabra releasing a more balanced proposal
and Aave proposing to use USDT in the treasury to buy CRV
in order to be more aligned. The actions of these governance groups show just how poor risk management procedures are at some of the largest DeFi protocols and, if anything, counters what DeFi is trying to create - an immutable and tamper-resistant system.
Finally, as of Friday, the hacker agreed to return the stolen funds
to various protocols. Alchemix, JPEGD and Curve all received the return of various stolen funds. Both Alchemix and JPEGD paid a bounty of 10% of stolen funds to the hacker’s address for the return of funds. The hacker returned some of the funds along with a message on his motivations:
“I saw some ridiculous views, so I want to clarify that I'm refunding you not because you can find me, it's because I don't want to ruin your project, maybe it's a lot of money for a lot of people, but not for me, I'm smarter than all of you.”
After this rollercoaster of a week, it’s important to think through what this episode has taught us:
- DeFi might not be all that resilient but the community sure is: While battle-tested code may have been exploited, the DeFi community stepped up in a time of dire need. The investors and protocols purchased CRV tokens, not just because they were a good deal, but because a death spiral in CRV’s price would hurt all of their businesses as well.
- Risk management via governance needs improvement: While some protocols such as MakerDao have successfully implemented risk management decisions via governance, the proposals from Abracadabra and Aave illustrate how this process is flawed and slow to enact. Protocols that rely on governance to adjust risk parameters are likely going to fall behind and suffer the consequences of liquidations. I believce the biggest lesson is that these protocols shouldn’t accept collateral that is so illiquid and held mostly by the founder.
- Confidence has not been shaken: One would expect that after such an incident, users would be more cautious and more afraid to deposit assets into these decentralized platforms. To the contrary, although Curve’s TVL declined from $3.2B to $1.7B following the hack, the community has since regained confidence in the project and TVL now sits back at $2.35B.
- The types of assets accepted as collateral still presents risk: As we saw with the assets that FTX, Genesis, BlockFi and others accepted, blindly accepting any token with an observable "market cap" as collateral fails to take into account the liquidity of the asset. Just because Curve is a beloved protocol, and the CRV token has existed for years, does not make CRV tokens worth something. Without unquestioned financial value and liquidity, what was once viewed as safe collateral can become vaporware in a time of distress.
The lingering question is what happens next? Egorov’s loans are still outstanding and unlikely to be closed out any time soon, leaving many feeling like this cycle is bound to repeat itself. Even with the new holder base, CRV liquidity is unlikely to improve and, if anything, could get worse as new holders lock up CRV tokens in governance to direct liquidity to various pools. The community can celebrate that DeFi continues to improve with every exploit and period of volatility, and promises to continue iterating on its current mechanisms and processes to provide better products in the future.