Looking at the whole story of the attack on Curve, the potential impact on DeFi has just begun?

Author: Bankless

Compiled by: Felix, PANews

Vulnerabilities in the smart contract programming language Vyper have put DeFi at risk of contagion events as funding pools deplete and the threat of liquidation looms.

Attack Vectors

In the early hours of July 31, the smart contract programming language Vyper tweeted that the anti-reentry locks of Vyper versions 0.2.15, 0.2.16 and 0.3.0 were invalid. Malicious actors used re-entrancy attacks to repeatedly re-sign contracts, leading to unauthorized operations or theft of funds. Some important projects, including Curve Finance, were attacked as a result, and the amount initially estimated to have been exploited was as high as $70 million. Some of these funds are held by white hat hackers and MEV bots and may be recovered.

Curve Bomb

The four fund pools CRV/ETH, alETH/ETH, msETH/ETH, and pETH/ETH in the Curve ecosystem were attacked, and more than $45 million in liquidity has been transferred from the lending protocol Alchemix, the synthetic asset Metronome, and the NFT lending platform JPEG'd Loss in the pool, nearly $25 million flowed out of the CRV/ETH pool. Another potentially affected pool is the Arbitrum Tricrypto pool, but auditors and Vyper developers have yet to find exploitable vulnerabilities.

In addition, according to DefiLlama data, the total lock-up volume (TVL) of Curve Finance has dropped from US$3.266 billion on July 30 to US$1.869 billion, a 24-hour drop of 42.78%.

CRV****Price Fluctuation

Centralized exchanges showed CRV price bottoming out at $0.583, but the token hit a low of $0.109 on-chain. After the CRV/ETH pool was hacked, the liquidity of CRV on the chain became poor, resulting in price fluctuations on the chain.

Despite the brutal sell-off of CRV, the hackers still made money. Failure to recover would result in a sell-off of CRV, which could have serious implications for the lending protocol. Currently, the wallet still holds 7 million CRV (approximately $4.5 million).

Borrowing Warning

Curve founder Michael Egorov has secured a large number of loans against his CRV on numerous lending protocols, the largest of which was on Aave. If the CRV price reaches the liquidation threshold, the protocol will be forced to liquidate the CRV position. According to the statistics of encryption researcher 0xLoki, Michael Egorov currently mortgages 292 million CRV (181 million US dollars) and lends 110 million US dollars, mainly distributed in:

1. 190 million CRV was mortgaged on AAVE, and 65 million USD was borrowed, with a liquidation price of 0.37 USD;

2. Mortgage 46 million CRV on FRAXlend, borrow 21 million FRAX, and the liquidation price is 0.4 USD;

3. Abracadabr deposits 40 million CRV, lends 18 million US dollars, and the liquidation price is 0.39 US dollars;

4. Deposit 16 million CRV on Inverse, lend 7 million US dollars, and the liquidation price is 0.4 US dollars.

In the past 6 hours, Egorov made up a deposit of about 10 million CRV in AAVE and Abracadabra.

Return****Money Crazy

Michael Egorov has been paying off loan debts in order to avoid being liquidated upon sale. The new liquidation threshold for Michael Egorov's loan on Aave has been lowered to $0.37 in light of repayment efforts.

WARNING

On-chain liquidity is known to be insufficient to liquidate Michael Egorov's position. Last month, DeFi risk management firm Gauntlet attempted to freeze Aave’s CRV market, but their proposal was unanimously rejected.

Liquidity in Curve's CRV/ETH pool has disappeared. With CRV liquidity down even lower than when Gauntlet suggested, bad debt seems inevitable if positions are liquidated.

DeFi Overflow

In the event of bad debts, the lending agreement must use insurance funds. For example, Aave will sell AAVE tokens from its security module to cover any shortfall, but the sale will reduce the value of the remaining collateral.

Liquidity Impact

Widespread volatility and remaining unknowns will cause many to remove liquidity from Curve. As liquidity on Curve and other on-chain DEXs continues to dwindle, prices will become increasingly volatile.

Lenders Withdrawal

Lenders are racing to draw money from money market agreements. The utilization rate of Aave's USDT pool exceeded 50%, and the borrowing rate soared to 91%, putting enormous pressure on Michael Egorov's position: if the interest rate does not drop, it will be liquidated within a few days.

While the damage to Curve pools may have been done, the potential impact of this exploit on DeFi may have only just begun. Loan agreements with CRV markets are at risk, if not insolvency, of some serious bad debts.

Related reading: The loss of more than 50 million US dollars, an article to sort out the serial attacks caused by the failure of the programming language Vyper