How much trust does Curve Finance, which has escaped death, have left?

On July 30, some versions of the smart contract programming language Vyper were found to have serious vulnerabilities, causing attacks on some important projects including Curve Finance. According to PeckShield statistics, the cumulative losses of multiple parties caused by this attack have reached as much as 52 million US dollars.

Among them, Curve Finance TVL dropped from $3.266 billion to $1.789 billion, a drop of about 45%, almost halving. But what is particularly thrilling is that after the attack, the instantaneous price of CRV on the chain almost returned to zero. If Chainlink had not failed to follow up and quote the lowest price in time, the CRV mortgage debt positions based on multiple lending agreements would have directly faced liquidation risks.

In response to this shocking scene, the top five exchanges in South Korea have all expressed their views to remind investors to be cautious about the value of CRV, and some have even suspended CRV deposit and withdrawal services. However, given the market price reaction, some netizens said that there are only three or four damaged liquidity pools, and the problem is not big. Wu Jihan publicly stated that he has bought the bottom of CRV and continues to be optimistic about Curve Finance.

Curve Finance has encountered liquidation crises many times in the past, and this time is particularly dangerous. So how much trust does this DeFi blue-chip project have that investors can expect?

Deductions

1. Three liquidation crises

Affected by this attack, the trading price of CRV on multiple DEXs has fluctuated dramatically. Among them, the instantaneous price of the CRV/WETH trading pair on Uniswap once fell to around US$0.08.

CRV has mortgage debt positions in multiple lending agreements. In particular, Curve founder Michael Egorov pledged a total of 292 million CRV (approximately US$181 million) on Aave, FRAXlend, Abracadabr, and Inverse, and lent out US$110 million in funds. The comprehensive liquidation price is around US$0.4.

If Chianlink even quotes a price of $0.08, these collateral positions will undoubtedly be liquidated. What’s more serious is that when FUD sentiment spreads, the DeFi world will face a catastrophic impact.

A similar recent liquidation crisis occurred last month. dForce founder Mindao wrote that the founder of Curve deposited more than 33% of CRV's circulating tokens in Aave, but lent out 71 million stablecoins, which posed a huge risk.

In the following days, the USDT in Curve 3pool was slightly decoupled, and the USDT tilt ratio exceeded 74%.

In response, the founder of Curve Finance had to repay tokens several times to reduce the risk of liquidation. The largest of these was the deposit of 38 million Curve DAO tokens (equivalent to $24 million) from its associated wallet into the decentralized lending platform Aave.

In November last year, CRV was shorted by whales, and the price of the coin reached a low of around $0.4. CRV was saved from being liquidated in large quantities only after the founder of Curve added 20 million CRV to AAVE and the white paper of the stablecoin CrvUSD launched by the project was released.

2. Liquidity pool tilt occurs frequently

2023:

On June 15, 205 million USDT were sold in Curve 3pool, resulting in USDT accounting for 74.35% (301,753,409 pieces) and a slight depegging occurred.

2022:

As of November 10, USDT accounted for 80.43% (742,416,062 pieces) of Curve 3pool, while DAI and USDC accounted for 9.79% and 9.77% respectively.

On November 13, the USDD/3CRV in Curve was seriously tilted, with USDD accounting for 81.76% (32,679,832 pieces); DAl accounting for 2.99% (1,196,988 pieces); USDC accounting for 3.00% (1,200,247 pieces); USDT accounting for 12.23% (4,891,589 pieces). The exchange ratio of USDD and USDC is 1:0.981282.

On August 26, the exchange ratio of rETH to ETH on Curve fell to 1:0.7917, and the liquidity pool ratio was seriously skewed, with rETH accounting for 81.54%.

There are many similar cases on Curve.

3. Ecosystem projects rely on the Vyper language and auditing is absent

There are multiple liquidity pools on Curve Finance that use the Vyper language to write smart contracts. According to the analysis of the affected contracts by the security company Ancilia, 136 contracts use Vyper 0.2.15 with reentry protection, 98 contracts use Vyper 0.2.15 version, and 226 contracts use Vyper 0.2.16 and Vyper 0.3.0.

Since Vyper's codebase is small, easy to read, and has fewer changes to analyze its history, it is difficult for audits to keep up when the compiler undergoes major and frequent changes.

On July 21 and July 25, Curve ecosystem liquidity platform Conic Finance was hacked twice because the smart contract was beyond the audit scope, resulting in a loss of US$4 million.

4. Short-selling rumors and lawsuits

On June 9, three crypto venture capital firms, ParaFi, Framework Ventures, and 1kx, jointly sued Curve founder Michael Egorov for fraud and misappropriation of trade secrets, causing the VC to suffer financial losses.

Then on June 12, dForce founder Mindao reminded the founder of Curve that there were great risks in pledging a large amount of CRV to borrow stablecoins. He also mentioned that pledging one's own currency for leverage may seem like a reluctance to sell, but in fact it is an inducement to short sell.

Similar Curve short-selling incidents and rumors are also common in online communities.

Bonus Points

Founded by Michael Egorov, Curve Finance was launched in January 2020. It aims to provide a decentralized exchange (DEX) built with an automated market maker (AMM) architecture, focusing mainly on stablecoins (USDT, USDC, DAI), synthetic assets/derivatives/anchored assets (wBTC, renBTC, stETH), etc. In addition to Ethereum as its main business position, it has also deployed multiple chains.

Despite the severe damage caused by the attack, Curve Finance still ranks second among DEXs.

To evaluate the quality of a project, you only need to compare it with the leader in the field. Compared with the DEXs leader Uniswap, Curve Finance has the following advantages:

1. Efficiency and Slippage

Curve is more focused on stablecoin exchanges, so the cost of use is lower. Due to Curve's mechanism and cooperation with project parties, more types of stablecoins and synthetic assets have been formed into liquidity pools on Curve. For most stablecoin trading pairs, they can be traded directly with each other on Curve.

In addition, by limiting the pools and the types of assets in each pool, Curve is less susceptible to volatile asset price changes and minimizes impermanent loss.

2. Synthetic assets

Benefiting from the good cooperative relationship with various projects, Curve has good returns on \)sETH and $renBTC.

Similarly, due to sufficient liquidity/LP incentives, Curve received support from the Ethereum 2.0 staking protocol Lido and became a semi-official \(stETH pool.

3. Agreement income

All token exchange fees in Curve are unified at 0.04%, and deposit and withdrawal fees are between 0% and 0.02%. However, half of the Curve protocol revenue will be distributed to CRV Token stakers.

This distribution ratio of protocol income will undoubtedly bring more users and LPs to Curve.

4. Ecosystem quantity

There are few supporting projects on Uniswap, while there are many Curve ecological projects, which can be roughly divided into: core ecological projects, ecological projects, cooperation projects, and user projects according to their ecological importance.

These projects can provide Curve with direct protocol income, namely liquidity procurement fees; provide experience optimization or assistance in liquidity fundraising or liquidity procurement for Curve’s core business - the liquidity market; absorb and increase the lock-up of CRV (or CVX) to prevent CRV from flowing to the secondary market.

Conclusion

As Vyper contributor @fubuloubu said, it takes weeks to months to find the vulnerability in this attack, so a bounty program is needed to help improve Vyper. However, outdated Vyper versions still need to be upgraded or migrated to provide higher security.

As far as this attack is concerned, it did not cause a fatal blow to Curve Finance, let alone the doomsday of DeFi. Similarly, the crypto market is still a dark forest, whether you are optimistic or bearish on Curve Finance, you must remain cautious and rational.