Here’s a funny statistic: According to Rekt’s global exploit loss leaderboard, even before a coalition of whitehats and security experts managed to claw back the majority of stolen funds, the Curve hack just barely cracked the top 30 all-time.
For most observers, the Curve exploit no doubt felt a touch more dire in the thick of it. For one, Curve was a famously resilient protocol and a systemically important source of liquidity for stablecoins. At least twice on Sunday, July 30, the team said that the effects of the hack were mitigated, only for another exploit to drain millions — it’s enough to set anyone skittish.
The damage to the protocol may have been secondary to the hand-wringing about Curve founder Michael Egorov’s various DeFi positions.
Loans worth upwards of $110 million prior to the hack suddenly looked vulnerable, as they were backed by Curve’s beaten-down CRV governance and rewards token. A news cycle unto itself was devoted to analyzing the potential fallout of liquidation, with Aave in particular looking like a possible victim of contagion.
In the end, however, a group of well-capitalized — if not somewhat unlikely — buyers stepped in. They hoovered up CRV in over-the-counter deals and allowed Egorov to rebalance and pay down huge swaths of his obligations. At the time of writing, his primary address counts just over $50 million in stablecoin debt — with an additional $18 million in spot CRV available for deployment.
I previously weighed in on how we might conceptualize the legacy of this hack over time in an edition of Blockworks’ Empire pod. In my view, we’re going to remember this one more for its influence in terms of how lending markets handle risk than we do for the dollar amount lost.
Read more: Could there be a ‘super-big bug’ at the root of DeFi? It’s possible, says Blockworks Research
Since the podcast recording, the health of Egorov’s positions have only improved, and more money has flowed back to the protocol. Alchemix in particular has enjoyed a full recovery.
As such, I’d add that it appears as if the community response to hacks and hack mitigation has hit a new high water mark — hopefully a standard of excellence that’s here to stay.
Indeed, while some might accuse me of donning rose-colored glasses as the dust settles on the Curve hack, it increasingly appears as if DeFi will, perhaps paradoxically, emerge all the more resilient in spite of multiple successful attacks on one of the ecosystem’s flagship protocols.
Lending markets adjust
One of the lingering questions facing lending protocols in the wake of the exploit: How were Michael Egorov’s positions allowed to get so large and potentially dangerous in the first place?And, perhaps more importantly: Who is to blame?
Euler founder Michael Bently took to Twitter to say the episode is an example of why DAOs — which may be made up of less sophisticated voters — are sub-optimal for managing risk.
If there’s one thing that’s clear from recent events, DAO governance of lending protocols is not a great idea.
Most people are simply not qualified/in possession of sufficient information to determine appropriate risk parameters on complex protocols whose risks evolve in time.
— Michael Bentley (@euler_mab) August 3, 2023
Indeed, the Aave DAO, which has a contract with risk modeling firm Gauntlet, ignored at least one warning in June from the risk assessors in the lead-up to the crisis. The DAO ultimately voted to keep the Aave v2 CRV parameters in place.
However, Ivan Ngmi, a pseudonymous Gearbox DAO contributor, told Blockworks in an interview that a purely programmatic risk management system is suboptimal given the degree to which different protocols rely on one another — in addition to one another’s respective governance token prices. Gearbox narrowly avoided being impacted by the CRV/ETH pool hack by a matter of days.
“Each one of [the protocols] has to look at others and consider cascade possibilities. And if it is govern-less, then they can’t change anything, then it’s up to the users of those protocols,” Ngmi wrote.
The CRV position was somewhat unique. In this instance, a protocol founder who, while controlling a near-majority of a token’s float, took out loans at multiple venues and used those tokens as collateral — something that would be difficult for pure on-chain governance to detect or mitigate.
Systems can be hardened, if not perfected, however. In an interview with Blockworks, Marc Zeller, the founder of the Aave-Chan Initiative, said a new proposal will slowly unwind Egorov’s v2 position over the course of a “quarter.”
“This process was already ongoing and slowly achieved, but CRV pools exploit accelerated […] the schedule,” he wrote.
Additionally, one beneficial side effect of Egorov rebalancing his positions is that total value locked (TVL) flowed from Aave v2, where the risky parameters have yet to be fully mitigated, to v3, where borrow caps can better constrain power users.
“In the end overall risk in v2 is now reduced and v3 adoption increased, so net positive,” Zeller added.
While there doesn’t seem to be a clear answer for how to completely solve a situation where one user controls such a dominating the supply of a token, lending markets at the very least are approaching risk management differently.
Egorov declined to comment when reached, citing the ongoing management of his positions.
SEAL 911
The “war room” phenomenon — during which community members and volunteers team up with hacked protocol developers in an attempt to mitigate the impacts of an exploit — has played a key part in many successful recent recoveries. But such efforts can be fraught with complications.
Two security companies, Blocksec and Supremacy, drew social media flak for tweeting the details of the Vyper compiler flaw as the exploits were ongoing.
Robert Chen of OtterSec wrote a great blog post on how two different whitehat operations were foiled by mere minutes. During this hack, where an ongoing vulnerability led to multiple attacks, publishing information about the exploits may have led to further losses by giving prospective attackers additional information, allowing them to outrace the whitehats.
I’m sympathetic to Blocksec, however, who argued that because they could not get in touch with the affected teams, explaining the flaw to the public so users could withdraw funds was the right ethical choice.
Ultimately, getting the right people into the war rooms (without attracting the attention of would-be blackhats) can be a tricky chicken-and-egg problem. Perhaps in the wake of Curve the community has developed one possible solution, however.
On Monday, prolific and pseudonymous Paradigm security researcher samczsun announced the launch of an “experimental” whitehat response service dubbed SEAL 911. The service, consisting of a Telegram bot, is designed to connect recently-hacked teams to a collective of security experts and war room veterans.
Storm, a pseudonymous Yearn contributor and frequent war room participant, told Blockworks in an interview that the service aims to help solve a pain point in connecting experts willing to help with affected teams. Storm is also one of the published members of the SEAL 911 group.
“Before this, you needed to have reliable security folk in your network in case of an incident or emergency […] hopefully this gives you a one click away hot line with experienced security researchers that we can vouch for,” he wrote.
According to Storm, the service has already been used, as members of the Solana-based Cypher protocol reached SEAL members on Monday shortly after the service was announced.
What’s more, SEAL 911 arrives at a time when whitehat responses may be hitting peak levels of efficacy. Since the return of funds from the Euler hack, negotiators have been consistently securing the return of funds from exploits.
On July 30, $71 million was drained from Curve pools. As of today, 75% of that amount has been recovered via whitehat operations and negotiations. Just one exploiter still holds funds — and even they face growing pressure in the form of a community bounty.
The deadline for the CRV/ETH exploiter passeshttps://t.co/VphQ0bfYr2 pic.twitter.com/x8LP9Tx4rs
— Curve Finance (@CurveFinance) August 6, 2023
It may be little consolation to depositors who believed themselves in the lurch amidst the hack’s worst hours. But between protocol improvements and a come-together moment within the security community, the DeFi ecosystem appears healthier after the Curve attacks than before.