What's next for DeFi after the Curve crisis?

Author: Andrew Thurman, blockworks Compiler: Shan Ouba, Jinse Finance

Smarter Lending Markets and Responsive White Hat Teams Improve DeFi’s Security Post-Curve Breach

The Curve hack barely cracked into the top 30 of all time, according to Rekt’s Global Exploit Loss Leaderboard, though before white hats and a coalition of security experts managed to recover some of the stolen funds. This is all the more worrisome to most observers. First of all, Curve is a well-known liquidity protocol and a vital part of the stablecoin system.

On Sunday, July 30, the Curve team said at least twice that it had mitigated the impact of the hack, but another attack that caused millions of dollars in damages will undoubtedly cause unease.

The damage to the protocol from the attack could be a worrying fallout following the various DeFi stances expressed by Curve founder Michael Egorov.

Before the hack, loans worth more than $110 million were suddenly vulnerable because they were backed by Curve’s governance token (CRV) and reward tokens, which had already been hit hard. The news reports themselves focused on analyzing the possible fallout from the liquidation, particularly the possibility that Aave could be a victim.

Eventually, however, a strong (though perhaps unlikely) group of buyers stepped in. They bought CRV in an off-market transaction, allowing Egorov to rebalance and pay off the huge debt. As of this writing, his primary address has just over $50 million in stablecoin debt, with another $18 million in spot CRV available for deployment.

Since the podcast was recorded, Egorov’s position health has improved, more funds have flowed back into the protocol, and Alchemix in particular has fully recovered.

So I’d like to add that the community response to the hack and hack mitigations seems to be at a new peak, and hopefully this standard of excellence will continue.

Indeed, while some may accuse me of being too idealistic about the Curve hack as the dust settles, there is a growing consensus that despite multiple successful attacks on one of the ecosystem’s flagship products, attack, but DeFi will become more resilient. This may be a contradictory agreement.

I previously weighed in on how we conceptualized the impact of this hack over time in an edition of Blockworks’ Empire podcast. In my view, we’ll remember this for its impact on how the loan market handles risk, not just for the dollar amount lost.

Loan Market Adjustment

In the wake of the breach, the lending protocol faced an ongoing question: why was Michael Egorov’s position allowed to become so large and potentially risky? And the more important question is: who should be held accountable?

Euler founder Michael Bently said on Twitter that the incident is an example of why DAOs — made up of potentially immature constituencies — may not be the best choice when it comes to risk management. In fact, Aave DAO, which contracted risk modeling firm Gauntlet, appeared to have ignored warnings from risk assessors ahead of the crisis in June. Ultimately, the DAO decided to keep the Aave v2 CRV parameter.

However, Ivan Ngmi, an anonymous contributor to Gearbox DAO, said in an interview with Blockworks that a purely programmatic risk management system is not necessarily the best option due to the degree of interdependence between different protocols and their respective governance token prices. Gearbox narrowly avoided the effects of the CRV/ETH mining pool hack for a few days.

He wrote: “Every protocol has to think about other protocols, allowing for possible cascading effects. If these protocols are anarchic, they can’t change anything, it’s up to the users of these protocols.”

CRV’s situation is somewhat special. In this case, the protocol founders control nearly all of the tokens in circulation and make loans in multiple places and use those tokens as collateral. Purely on-chain governance makes it difficult to detect or mitigate this situation.

However, systems can be enhanced even if they are not perfect. Aave-Chan Initiative founder Marc Zeller said in an interview with Blockworks that a new proposal will gradually resolve Egorov’s status in v2 within “a quarter.”

“The process is ongoing, and the utilization of the CRV pool has accelerated progress,” he wrote. Moreover, a beneficial side effect of Egorov’s rebalancing of positions is that total value locked (TVL) flows from Aave v2, whose risk parameters have not yet been fully mitigated, to Borrow cap, which can better limit superusers’ borrowing in v3.

Zeller added: “Ultimately, the overall risk of v2 is now reduced and the adoption rate of v3 is increased, so the net effect is positive.” In the marketplace, risk management is being done differently. When contacted, Yegorov declined to comment, citing his position being managed.

SEAL 911

The “war room” phenomenon, in which community members and volunteers work with hacked protocol developers to try to mitigate the impact of a breach, has played a key role in many recent successful recoveries. However, such an effort can be fraught with complexities.

Two security firms, Blocksec and Supremacy, have come under heavy criticism on social media after releasing details on the process of exploiting a Vyper compiler vulnerability. Robert Chen of OtterSec described in an excellent blog post how two different white hat operations were thwarted in just a few minutes. In this hack, where persistent vulnerabilities led to multiple attacks, publishing information about exploits could have given potential attackers additional information that would allow them to get past white hats, leading to further damage.

However, I sympathize with Blocksec, who feel that, with no way to get in touch with the affected team, explaining the flaw to the public so users can withdraw their funds is the right moral choice.

Ultimately, bringing the right people into the war room (without drawing the attention of would-be black hats) can be a tricky chicken-and-egg problem. After the Curve incident, the community may have developed a possible solution.

Prolific anonymous Paradigm security researcher samczsun has announced the launch of an “experimental” white hat response service called SEAL 911. The service, made up of Telegram bots, aims to connect recently hacked teams with a team of security experts and war room veterans. Storm, an anonymous Yearn contributor and War Room regular, told Blockworks in an interview that the service aims to solve a pain point of connecting them with experts willing to help affected teams. Storm is also an open member of the SEAL 911 team.

He wrote: “Until then, you need reliable security personnel on your network in case of incidents or emergencies… Hopefully this will give you a one-click hotline with experienced security researchers we can trust connect.”

According to Storm, the service has already been used because members of the Solana-based Cypher protocol contacted SEAL 911 members on Monday, shortly after the service was announced.

What’s more, SEAL 911 arrives at a time when the white hat response is likely to be at its highest level of efficiency. Negotiators have been securing the return of funds from the breach since the Euler hack.

On July 30, $71 million was withdrawn from the Curve mining pool. As of now, 75% of the amount has been recovered through white hat operations and negotiations. Only one exploiter still holds funds - and even they are facing increasing pressure in the form of community bounties.

That may not offer much consolation to savers who felt trapped at the worst moment of the hack. But between protocol improvements and a moment of solidarity within the security community, the DeFi ecosystem after the Curve attack appears to be healthier than before.