GM,

Today is August 8th, and I wish all fathers a Happy Father's Day.

The quarterly public goods funding event, Gitcoin Grants, is scheduled to take place from August 15th to August 29th. This time, Blocktrend has also signed up to participate in the Web3 community and education category. Starting next week, everyone will be invited to vote with small amounts of cryptocurrency to help Blocktrend secure a total of $250,000 in matched funding.

To prevent potential hackers from launching a Sybil attack, the organizers are introducing the Gitcoin Passport mechanism to verify the authenticity of participants. A Passport score of over 20 points is required to be recognized as an on-chain citizen, ensuring that micro-donations can contribute to matching funds. Gitcoin Passport scores will be reset every 2 to 3 months to keep information up-to-date. Even those who participated in Gitcoin Grants previously will need to reverify their identity this time. I invite everyone to get involved and participate.

立即驗證

In addition, I sent out the notification letters for the member gathering registration results last weekend. If you're unable to attend at the last minute, please reply directly to let us know so that other members can take your place. Now, let's get to the main topic.

If you, like me, have assets invested in the decentralized finance (DeFi) market, last week must have been nerve-wracking. The trigger was the unexpected hack of the widely trusted decentralized exchange, Curve, on the evening of July 30th, resulting in a loss of around 2.1 billion New Taiwan Dollars (TWD).

Although this is already an astronomical figure, it was just a prelude to last week's DeFi crisis. If the hackers had immediately dumped the stolen funds into the market, it could have triggered a domino effect, causing another larger-scale wave of fund liquidation. Fortunately, after a week of "on-chain negotiations," the situation has passed its most dangerous phase. Not only has the liquidation crisis been averted, but the hackers have also returned a portion of the funds. DeFi investors should be able to breathe a sigh of relief.

However, after this crisis, I have withdrawn the assets I had previously provided as liquidity on Curve into a cold wallet. This article will first explain Curve's position in the DeFi market and then discuss the details of this incident and its subsequent implications.

DeFi Building Blocks

Curve serves as an automated coin swapping mechanism on the blockchain, allowing you to instantly convert one currency into another by simply depositing funds. What's the purpose of this?

Recently, the savings interest rate for the stablecoin DAI in US dollars has reached as high as 8%. If you want to convert your USDT holdings into DAI, the most familiar way for many is to use centralized exchanges like Binance to place buy and sell orders. However, Curve can fulfill the same need. The difference is that using Curve doesn't require you to register an account or undergo identity verification. All you need is to connect your MetaMask wallet. Even for large transactions in the millions of dollars, Curve's pricing isn't any worse than Binance's. Not to mention the convenience for day-to-day small-scale exchanges.

Exactly because Curve typically offers the best exchange rates among automated coin swapping mechanisms in the market, many developers integrate Curve into their own applications. It's easier to envision this integration in the context of the metaverse. For instance, if I were to develop an online Monopoly-like game where cryptocurrencies circulate, I could use Curve to create the banking functions within the game. When players want to convert their assets into another currency, developers wouldn't need to operate an actual cryptocurrency exchange. Instead, they could delegate the transactions to Curve.

In other words, Curve's primary users aren't individuals like you and me, but rather other DeFi application developers. They would build various financial products based on Curve, providing them to investors. Using a LEGO analogy, Curve is like the foundational brick at the bottom of the DeFi market, the strongest pillar supporting the entire building's structure. Curve lives up to its reputation by rigorously guarding the security of its smart contracts. Even last week's hacking incident wasn't entirely Curve's fault per se. The issue stemmed from the underlying smart contract programming language — Vyper.

Hacker Intrusion

Vyper is a programming language specifically designed for writing smart contracts, with syntax similar to Python. Currently, the vast majority of smart contracts are written in Solidity, making Vyper a new choice for developers. It aims to attract engineers from diverse backgrounds while also mitigating risks. In case there's a vulnerability in Solidity, applications built with Vyper won't be affected.

However, in this incident, the situation was quite the opposite. Hackers found a vulnerability in a specific version of the Vyper programming language and targeted DeFi applications written with Vyper. Discovering that certain parts of Curve's code were written in Vyper, the hackers exploited the vulnerability on the evening of July 30th, stealing around $70 million worth of ETH and CRV tokens (Curve's governance token) from Curve.

Initially, the Curve team didn't suspect that the issue was with the Vyper programming language itself. They expressed surprise on Twitter, wondering how some developers had missed this vulnerability. It wasn't until someone kindly pointed out that the flaw the hackers exploited wasn't the result of careless application development, but rather an issue with the Vyper programming language itself. It was then that Curve realized their mistake and promptly deleted the tweet.

Most people wouldn't think that even the programming language itself could have issues. Ordinary users are even more vulnerable, as they generally don't pay attention to which programming language developers are using before engaging with DeFi. The likelihood of stumbling upon such vulnerabilities is largely left to chance.

The news of Curve being hacked left many people stunned: "If even Curve isn't safe, is there anywhere safe in DeFi?"

This is precisely why I withdrew my funds. Protecting the principal seems more practical than the potential 10% extra investment returns per year. Moreover, when people see the foundational pillar of a building crack, their concern isn't solely about the pillar itself but whether the entire structure might collapse. From the outcome, it's clear that Curve was hanging by a thread, and it almost triggered another wave of turmoil in the DeFi market. The spark that ignited the crisis was Curve founder Michael Egorov's personal loan.

DeFi Crisis

As the founder of Curve, Michael Egorov holds about 460 million CRV tokens, accounting for 47% of the circulating supply. Based on market prices, these CRV tokens are worth nearly $300 million.

Normally, if someone held such a sum, they might think they wouldn't need to worry about finances for the rest of their life by simply selling CRV. However, Egorov's approach was more sophisticated. He utilized a strategy involving leveraging by collateralizing his 460 million CRV tokens to borrow around $100 million from DeFi lending services like Aave and Fraxlend. This approach didn't require selling CRV, thus avoiding impacting the market price. Moreover, if the token's price were to increase, he could borrow even more. It was a clever leveraging technique, but it came with risks – particularly the risk of CRV's price dropping.

Unfortunately, in this Curve incident, the hacker managed to obtain 32 million CRV tokens. This prompted many CRV holders to fear a potential sell-off by the hacker and caused them to sell off their CRV holdings in advance. However, CRV is a relatively niche cryptocurrency with poor liquidity. Additionally, since Curve's primary trading platform had just been compromised, its market depth was shallow and couldn't absorb the sudden influx of supply.

When any asset is sold in large quantities within a short timeframe, creating a supply surge without corresponding demand, prices tend to plummet. CRV was no exception, and its market price experienced a dramatic drop, plummeting from $0.73 to as low as $0.08 on certain DeFi exchanges.

While witnessing CRV's price freefall, the greatest anxiety was not felt by the Curve team or even Michael Egorov himself, but by those who had accepted CRV tokens as collateral and lent money to Egorov via DeFi lending services. For instance, Aave started to worry about bad debt issues. If the CRV price dropped to a certain level, Aave would be forced to auction the CRV collateral deposited by Egorov.

Given CRV's poor liquidity and its already widespread presence on the market, a large-scale sell-off by Aave in a short period would result in minimal returns. The difference would then become bad debt. If Aave accrued too much bad debt, ultimately it would be borne by the investors who had placed their assets in Aave savings.

Unfortunately, Aave, being a cornerstone of DeFi and one of its foundational bricks, was essential. If Aave were to fail, the entire DeFi market might be reduced to ruins.

Therefore, Aave and other lending services quickly proposed to increase the liquidation threshold for Egorov, aiming to mitigate potential losses when it was time to sell CRV tokens. However, this was effectively pushing Egorov into a corner, forcing him to repay his debt immediately or risk having his CRV tokens auctioned. It's clear that Egorov's predicament had gone from bad to worse, having already suffered from the Curve hack and now needing to raise funds urgently for repayment.

This DeFi crisis truly hung by a thread. If the CRV price had dropped to $0.08 last week across the entire market, many people would likely require a lengthy recovery period. Egorov's agreed liquidation price with Aave was between $0.3 to $0.4 for CRV. Luckily, Aave "hadn't realized" that certain DeFi exchanges were quoting prices significantly lower than this threshold, preventing them from triggering the liquidation.

This wasn't a bug, nor was it Aave's mercy. Aave's price data synthesis combined the overall market quotes from centralized and decentralized exchanges. Although some exchanges had quoted prices as low as $0.08, the overall market was still around $0.5 per token, and thus the liquidation wasn't executed. This situation made everyone break out in a cold sweat, especially Sun Yuchen, the founder of Tron, who had millions of dollars deposited in Aave.

If Aave were a car, at that time the car had already half plunged off the cliff, being held by just a thin thread – a precarious situation. In response, some in the market extended a helping hand to Egorov, recognizing that he needed funds urgently to reduce his leverage. These individuals offered to purchase a large quantity of CRV tokens from Egorov at a rate of $0.4 per token, allowing him to repay his debt. Sun Yuchen also bought $2 million worth of CRV tokens.

You could say these individuals saved the DeFi market, but you could also say they were simply saving themselves. According to media reports, Egorov sold a total of around 100 million CRV tokens, raising a total of $40 million to fight the fire. The most dangerous situation has passed, and the entire DeFi industry can be said to have narrowly escaped a disaster. After the market stabilized, I believe there are two scenarios worth discussing.

Two Reflections

In hindsight, what put the DeFi market on the edge wasn't the compromised Curve protocol or Egorov's substantial use of CRV as collateral, but rather the lending platforms that knowingly accepted CRV as collateral despite its poor market liquidity and extended large loans.

Lending platforms are driven by incentives. The more diverse collateral they accept, the more people are attracted to borrow against it, driving up deposit rates. In extreme cases, lending platforms not only accept various forms of collateral but also lend out substantial sums against each, sometimes without limits.

The issue lies in risk management. Lending platforms cannot accept everything without evaluating the quality of the collateral. This event highlighted that while Curve is a reliable project, CRV's liquidity should not have allowed such substantial lending. Otherwise, in extreme scenarios, the platforms would be left holding the bag for bad debts. I anticipate that lending platforms will reconsider and lower the maximum loanable amount against certain collateral to reduce borrowers' leverage.

However, the root cause of this event was the vulnerability in the Vyper programming language. Programming languages are like spoken languages and are public goods. They lack a business model, and anyone can freely use them. People don't usually pay much attention to them.

But this event revealed that the Vyper programming language has only one full-time developer and 2 to 3 community contributors. The primary funding sources for the team are from CurveDAO, Gitcoin Grants, and RetroPGF. Yet, the products they create carry tens of millions of dollars in assets.

I believe many individuals, including myself, might not be able to provide technical assistance, but if I see the Vyper project on Gitcoin Grants next week, I will contribute some spare change to help them gain more resources and ensure the safety of their products.

Blocktrend is an independent media outlet sustained by reader-paid subscriptions. If you think the articles from Blocktrendare good, feel free to share this article, join the member-created Discord for discussion, or add this article to your Web3 records by collecting the Writing NFT.

In addition, please recommend Blocktrend to your friends and family. If you want to review past content published by Blocktrend, you can refer to the article list. As many readers often ask for my referral codes, I have compiled them into a single page for everyone's convenience. You are welcome to use them.