Original Title: A Contagion Event?
Original Author: Bankless
Source: twitter
Translation: Kate, Marsbit
- After the Curve attack What is the next step for DeFi?
- Evening Must-Read | How is the development of the OP ecosystem now? Is it worth investing in?
- Multiple projects have suffered losses exceeding 59 million US dollars due to the Vyper reentrancy vulnerability. Is your funds still safe?
Note: This article is from the official Twitter account @BanklessHQ of Bankless. The original tweet content is organized by MarsBit as follows:
The EVM compiler @vyperlang has exposed a zero-day vulnerability, with the imminent threat of pool depletion and liquidation, DeFi faces the risk of a contagion event!
Attack Vector
Earlier today, Vyper revealed that its compiler version did not correctly implement a reentrant lock
Malicious actors used reentrancy attacks to repeatedly enter the contract, resulting in unauthorized operations or fund theft
ooof hacker hasn't even started selling their crv yet:
0xb1c33b391c2569b737ec387e731e88589e8ec148
— Adam Cochran (adamscochran.eth) (@adamscochran) July 30, 2023
Massacre
Multiple protocols have been compromised, with an initial estimate of up to $70 million stolen
Some of these funds are held by white hats and MEV bots and may be recovered
Here's the addresses and ~$ values I have for today's jpegd / vyper / curve carnage
Looking like ~$70m as of now?
Lots of whitehat activity + automated MEV bots though, so it'll be interesting to see what was taken by intentionally malicious operators vs what is returned. pic.twitter.com/hnxXlLPzOn
— Tay 💖 (@tayvano_) July 30, 2023
Curve Bomb
@CurveFinance has discovered that 4 different pools have been exploited
Over $45 million in liquidity has been drained from @AlchemixFi, @MetronomeDAO, and @JPEGd_69 Factory pools, and nearly $25 million has been drained from the CRV/ETH pool
Other pools on Curve currently appear to be unaffected
$CRV Compression Crisis
Centralized exchanges show that the $CRV price bottomed out at only $0.583, but the token successfully hit a low of $0.109 on-chain
After the CRV/ETH pool was hacked, on-chain $CRV liquidity became extremely thin, causing on-chain price fluctuations
Waiting Time
Despite the brutal sell-off of $CRV, the hackers still made profits! A failed recovery will result in the sale of $CRV, which could have a serious impact on lending protocols!
There are still 7 million $CRV (approximately $4.5 million) in the wallet
ooof hacker hasn't even started selling their crv yet:
0xb1c33b391c2569b737ec387e731e88589e8ec148
— Adam Cochran (adamscochran.eth) (@adamscochran) July 30, 2023
Loan Alarm
The founder of Curve, @newmichwill, has obtained a large amount of loans with his $CRV as collateral on numerous lending protocols, the largest of which is @AaveAave
If the $CRV price reaches the liquidation threshold, the protocol will be forced to liquidate the $CRV position.
Mich confirming hacker got the large CRV pool.
That's probably enough CRV to push Mich's $100M+ of CRV into liquidation on Aave, Inverse and Abracadabra if its not absorbed.
This is going to be nasty for those protocols and for Curve.
Can rebuild but possibly brace for impact https://t.co/5LHPE8jXxt
— Adam Cochran (adamscochran.eth) (@adamscochran) July 30, 2023
Payment Frenzy
To avoid being liquidated upon sale, @newmichwill has been repaying his loan debt.
Due to the repayment efforts, the new liquidation threshold for @newmichwill’s Aave loan has been reduced to $0.37 per $CRV.
Early Warning
It is reported that there is insufficient on-chain liquidity to liquidate @newmichwill’s position.
Last month, @gauntlet_xyz attempted to freeze the $CRV market on Aave, but their proposal was unanimously rejected.
https://app.aave.com/governance/proposal/?proposalId=246
Dire Situation
Liquidity in Curve’s CRV/ETH pool has vanished! $CRV liquidity has dropped even lower than when Gauntlet made their proposal.
If the position is liquidated, bad debt seems inevitable…
DeFi Spillover
Bad debt protocols must tap into insurance funds.
For example, Aave will sell tokens worth $AAVE from its safety module to cover any shortfall, but the sale will reduce the value of the remaining collateral…
Impact on Liquidity
Widespread volatility and lingering unknown factors have led many to suggest withdrawing liquidity from Curve at this time.
As liquidity continues to decrease on Curve and other on-chain DEXs, the price will become increasingly unstable.
https://twitter.com/Jasper_ETH/status/1685745826537103392
Lenders Withdrawing
Lending institutions are rushing to withdraw funds from money market protocols.
The utilization rate of Aave’s $USDT pool has exceeded 50%, pushing borrowing rates up to 91%, putting immense pressure on @newmichwill’s position: If the rates don’t decrease, it will be liquidated within a few days!
Bottom Line
While the damage to the Curve pool may already have been done, the potential impact of this exploit on DeFi may have only just begun…
The lending protocols in the $CRV market may face significant risk of bad debt, even if not bankruptcy!
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!