Walle Finance | The 53rd live interview - Conversation with Kevin, the core developer of Mercurity.Finance

Host : Everyone is saying that Bitcoin is sucking blood , but the locked funds in the DeFi field have not dropped significantly. Why is that?

Kevin:

According to the latest data, the total locked volume of DeFi has reached 17 billion US dollars, which has continued to rise from 700 million US dollars at the beginning of the year to 17 billion today. Even after the popularity of DeFi mining has declined, it is still growing steadily.

The blowout growth of DeFi ’s total TVL originated from the rise of projects such as YFI in July, and then accelerated in various DeFi mining projects in August and September.

I think there are three reasons why TVL continues to grow steadily after the mining enthusiasm has declined:

1. DeFi truly solves the needs in the blockchain field. Among the current DeFi projects, the three types of projects with the most locked positions are lending, trading, and financial management. These three types of products meet the three real needs in the decentralized financial field, making a large amount of funds willing to stay in the corresponding products instead of moving from one place to another.

2. DeFi's application innovations are endless and have great potential. In the past three months, new DeFi protocols have continued to emerge, such as insurance, bonds, options, etc., which has led to more funds willing to try new things entering this field and introducing new traffic. Next, more financial concepts and gameplay in traditional fields will be " DeFi " ized to create more interesting products.

3. The long-tail effect of DeFi lock-up. In the early days of DeFi , a large number of users did not know how to use decentralized wallets and Dex, which hindered the growth of DeFi lock-up. With the progress of more users, DeFi has more and more increments, and the addition of fresh blood has further pushed up the lock-up volume.

Host : Where is the next opportunity in the Defi field?

Kevin: DeFi currently has multiple sub-sectors, including lending, trading, financial management, insurance, bonds, synthetic assets, options, etc. The first three categories are relatively mature, and there are already leading projects, such as Compound, AAVE, MakerDAO, Uniswap, Synthetix, YFI, etc.

With the recent increase in security incidents, insurance is clearly a product that the market urgently needs. However, there are various problems with the current mainstream insurance projects. For example, Nexus Mutual requires community voting for compensation, and the votes are in the hands of a few large holders. Therefore, Nexus is actually a semi-centralized insurance, and many policies cannot be paid.

Another possible opportunity is to introduce financial concepts from traditional fields into the blockchain field. For example, priority-subordinated bonds can effectively divide high-risk and low-risk users, bring richer application scenarios, and solve more complex problems.

Host : Can you share with us how the code to wealth is generally found?

Kevin: You can never earn more money than you know. Knowing determines how much wealth you have. This also applies to the field of cryptocurrency. Moreover, this field has two major characteristics: the technology and concepts are very new and the update speed is very fast. So if you want to make enough money in this field, you must continue to learn and keep tracking. For example, in this round of DeFi mining, many people failed to participate in it at the first time because they lacked learning in this area.

In fact, I am also constantly learning. After learning about YFI from relevant communities and articles, I began to carefully study the relevant knowledge of DeFi and started to invest in related mining. At that time, there were also many high - quality potential currencies on Uniswap, which required more research to distinguish and participate. Including the previously popular Polkadot system and storage system, it is also necessary to reserve relevant knowledge to make investment reasonable.

Therefore, pay attention to high-quality communities, keep up with industry development, and continue learning, and you will master the method to find the code to wealth.

Host : Security issues frequently occur in the DeFi field. As a professional developer, how do you view security issues?

Kevin: Security issues may be the biggest challenge that DeFi projects need to face. In April this year, the Lendf.me platform (part of the decentralized finance dForce project) was hacked and lost $25 million. dForce uses code copied from Compound, lacks the necessary review, has almost no security checks or audits, and has no emergency procedures designed for possible vulnerabilities in smart contracts.

The hacker attack exposed the dForce team’s lack of a complete smart contract quality management and R&D system as well as a risk warning mechanism.

How to control security risks? I think it mainly depends on three aspects: strict internal control of code quality, strict external code review, and code vulnerability rewards.

First of all, the original coding and simulation testing within the project are the basis for ensuring security. Comprehensively writing test and migration scripts is a fast and effective means to ensure the security and quality of smart contracts. Improve code coverage, use Mainnet fork ganache for simulation testing, perform code reduction and continuous integration testing. Through the above measures, improve the quality of team code.

Secondly, choosing a security audit company that is proficient in DeFi technology to help conduct security audits will help discover potential problems that may be overlooked during the coding stage.

Finally, the power of the masses is huge. With the help of the community, we will launch a code vulnerability bounty program. Invite members of the white hat hacker community to reward them for the security vulnerabilities they find. This will help discover and resolve a large number of potential security vulnerabilities, thereby reducing the risk of hacker attacks.

Host : As a core developer of Mercurity.Finance, can you introduce Mercurity to your fans?

Kevin: Mercurity is an open and interconnected DeFi Platform. The Mercurity protocol is composed of several groups of sub-protocol matrices. Each group of sub-protocols is independent, pluggable, combinable, and coordinated with each other.

Currently, it includes the following five sub-protocols:

Mercurity Swap Protocol

Mercurity Lend Protocol

Mercurity Insurance Agreement

Mercury Bond Protocol

Mercury SyntheticsAsset Protocol

On the one hand, Mercurity links DeFi's liquidity through on-chain smart routing to share liquidity and financial services. On the other hand, Mercurity upgrades each liquidity pool in DeFi to a programmable fund and community-izes each liquidity pool, allowing each liquidity pool to achieve community autonomy and make each liquidity pool a dynamic component of the Mercurity ecosystem.

Mercurity promotes community power to realize innovative applications and promote new markets, fully empowers the community, mobilizes industry power, and will create unique value for users.

Mercurity community mission: to make financial services accessible.

If you are interested in the Mercurity Defi Matrix, you can follow our media:

https://medium.com/mercurityfinance

Host : How does Mercurity build an industry moat through NFT+DAO?

Kevin: The homogeneity of current DeFi projects is very serious, and many users' funds are purely for profit. We don't hate this behavior, but we are still thinking about how to continuously empower users' assets. Here we use the NFT+DAO model to continuously empower users. We believe that the role of NFT is to introduce new assets. Compared with native blockchain assets, Mercurity can introduce various NFT assets, such as US Treasury bonds, gold, etc., to increase the asset categories of the Mercurity DeFi platform and solve users' actual asset needs in one stop.

DAO is another killer feature of Mercurity. DeFi decentralized finance is about fairness and openness. Code is law. Therefore, our project governance is a matter that reflects the level of the project. We actively encourage Mee token holders to participate in community governance and jointly develop the Mee community ecosystem. In actual work, we also found that many users’ suggestions are very professional and sincere. For similar cooperation strategies and rate strategies, we at Mercurity are also willing to work with users to improve the entire Mercurity ecosystem.

Host : The recent Cheese security incident is similar to Mercurity. How do you prevent these problems?

Kevin: In order to discuss this issue, we must first understand how the "scientists" used flash loans to attack Cheese Bank. First, the attacker first borrowed 21,000 ETH through a dYdX flash loan, and then exchanged 50 WETH for 107,000 CHEESE (Cheese Bank token) in UniswapV2. At this time, the unit price of CHEESE was 0.00047 ETH/coin, and the attacker had 20,950 ETH remaining; Next, the attacker pledged 107,000 CHEESE and 78 ETH in UniswapV2 to provide trading liquidity, and obtained the UNI_V2 LP certificate automatically generated on UniswapV2. The UNI_V2 LP certificate is the only pledge certificate for liquidity providers (LPs) to provide liquidity on UniswapV2 and withdraw corresponding assets. At this time, the attacker has 20,871 ETH left; the attacker further converts the obtained collateral UNI_V2 LP certificate into sUSD_V2 certificate, which is conducive to the attacker using UNI_V2 LP certificate as collateral to lend stablecoins on Cheese Bank; then, the attacker converts 20,000 ETH into 288,000 CHEESE in UniswapV2, which will affect the balance of the CHEESE pool on UniswapV2, thereby raising the price of CHEESE. At this time, the unit price of CHEESE is 0.069 ETH/coin (145 times higher than the previous price of 0.00047 ETH/coin), and the attacker has 871 ETH left (including transaction fees). The increase in the unit price of CHEESE can effectively increase the value of UNI_V2 LP mortgaged in Cheese Bank, helping the attacker to increase the amount of crypto assets borrowed in Cheese Bank. It is worth noting that Cheese Bank measures the price of the corresponding UNI_V2 LP certificate by the amount of WETH in the liquidity pool UNI_V2-CHEESE-ETH. The attacker can effectively lend more USDC, USDT, and DAI by raising the price of UNI_V2 LP certificates. Finally, the attacker converted 288,000 CHEESE into 19,980 ETH (including handling fees) on Uniswap V2. To make up for the 21,000 ETH borrowed, he converted 58,000 USDC into 132 ETH, and returned the remaining 871 ETH (including transaction fees) to the dYdX flash loan, as if nothing had happened.

In general, the attacker manipulated the price of UNI_V2 LP certificates by resetting the price feed oracle.

For Mercurity, in order to avoid similar problems, we will take multiple measures.

1. Only lending products for mainstream currencies will be launched. Minor currencies will not be supported.

2. The oracle uses the weighted average price of Dex and Cex, which will eliminate abnormal prices and make it difficult for attackers to control the currency price.

3. Issue alarms for large transactions to promptly identify and fill loopholes.

Host : Flash loans have been very popular recently. What do you think of flash loans?

Kevin: Recently, there have been a number of attacks caused by flash loans, such as the Origin Protocol stablecoin OUSD, which was exposed to flash loan attacks. Projects such as Harvest Finance, Akropolis, Value DeFi and Cheese Bank were also attacked by flash loans, among which the Value DeFi project lost $5.4 million, the Cheese Bank project lost $3.3 million, the Akropolis project lost $2 million, and OUSD lost $7 million.

Flash loans are an application of the DeFi ecosystem. We know that DeFi has many advantages, but it also has structural flaws. DeFi requires over-collateralization, which means that the utilization rate of funds is very low. "Flash loans" allow borrowers to borrow without collateralizing assets, thereby greatly improving the utilization rate of funds.

Flash loans are loans that are borrowed and repaid in one on-chain transaction, i.e., one block, without collateral. The function of flash loans is to ensure that users can borrow and repay without collateral, i.e., if the funds are not returned, the transaction will be restored, i.e., all previously executed operations will be undone, thus ensuring the security of the agreement and funds.

Since an on-chain transaction can include multiple operations, developers can add other on-chain operations between borrowing and repayment, which gives such lending a lot more room for imagination, but also poses a huge security risk.

Many users maliciously use flash loans to borrow, exchange, deposit, and re-borrow large amounts of tokens, artificially manipulating token prices in DEX. This has led to the common flash loan attacks.

Flash loan attacks have occurred frequently since the bZx attack, but flash loan attacks are not the real systemic root risk in the DeFi ecosystem. The root cause lies in Oracle attacks, and flash loan attacks are often just attacks on Oracle. Oracle is the middleware that connects on-chain DeFi applications and off-chain data. Due to the use of a decentralized Oracle network, there are differences in trading volume and liquidity in multiple exchanges, which increases the risk of Oracle attacks.

In fact, many flash loan attacks do not involve any blockchain or smart contract security vulnerabilities, which makes it difficult to avoid flash loan attacks, and there is not much time left for projects to react when attacks occur. The premise for many flash loan arbitrage events is simply because there is a price difference in different DEXs.

So, if you want to prevent flash loans, you need to take the right remedy. There are several ways you can try:

First, from the perspective of controlling price differences, establishing a price synchronization mechanism between different exchanges or using the same price oracle can reduce the probability of arbitrage events. Second, from the perspective of smart contracts that execute arbitrage events, taking additional verification steps for transactions involving a large number of transactions or increasing the transaction fees for such transactions will reduce the occurrence of arbitrage events. Third, only mainstream currencies and currencies with good depth are supported, which increases the difficulty of flash loan operation prices.