Author: Bankless
Translation: Felix, LianGuaiNews
A vulnerability has been discovered in the smart contract programming language Vyper, and with depleting funds and imminent liquidation threats, DeFi faces the risk of a spreading event.
Attack Vector
In the early morning of July 31st, the smart contract programming language Vyper tweeted that the anti-reentrancy lock in versions 0.2.15, 0.2.16, and 0.3.0 of Vyper is ineffective. Malicious actors are using reentrancy attacks to repeatedly resign the contract, resulting in unauthorized operations or theft of funds. Several important projects, including Curve Finance, have been attacked, with an estimated amount of funds utilized reaching as high as $70 million. Some of the funds are held by white hat hackers and MEV robots and may be recovered.
- Interpreting Polkadot 2.0 Abandoning the slot auction mechanism, selling core time in the form of NFTs, which can be sliced and combined.
- Using Snapshot as an example, unveiling the on-chain DAO governance model
- Saying goodbye to the recession, here are 10 reasons to pay attention to the recent developments in the Cosmos ecosystem.
Curve Bomb
Four liquidity pools in the Curve ecosystem, CRV/ETH, alETH/ETH, msETH/ETH, and pETH/ETH, have been attacked. Over $45 million in liquidity has been drained from the lending protocol Alchemix, the synthetic asset Metronome, and the NFT lending platform JPEG’d. Nearly $25 million has been withdrawn from the CRV/ETH pool. Another potentially affected pool is the Arbitrum Tricrypto pool, but auditors and Vyper developers have not yet found any exploitable vulnerabilities.
In addition, data from DefiLlama shows that the total value locked (TVL) in Curve Finance has dropped from $3.266 billion on July 30th to $1.869 billion, a decrease of 42.78% in the past 24 hours.
CRV Price Fluctuation
Centralized exchanges display a bottom price for CRV at $0.583, but the token has reached a low point of $0.109 on-chain. After the CRV/ETH pool was attacked, on-chain CRV liquidity has worsened, leading to price fluctuations on-chain.
Despite the brutal sell-off of CRV, the hackers still made profits. Failure to recover will result in further selling of CRV, which could have a serious impact on lending protocols. Currently, the wallet still holds 7 million CRV (approximately $4.5 million).
Lending Warning
Curve founder Michael Egorov has obtained a large amount of loans using his CRV as collateral on various lending protocols, with the largest loan being on Aave. If the CRV price reaches the liquidation threshold, the protocol will be forced to liquidate the CRV position. According to crypto researcher 0xLoki, Michael Egorov currently has 292 million CRV ($181 million) as collateral and has borrowed $110 million, mainly distributed in:
1. AAVE has collateralized 190 million CRV and borrowed 65 million US dollars with a liquidation price of $0.37;
2. FRAXlend has collateralized 46 million CRV and borrowed 21 million FRAX with a liquidation price of $0.4;
3. Abracadabr has deposited 40 million CRV and borrowed 18 million US dollars with a liquidation price of $0.39;
4. Inverse has deposited 16 million CRV and borrowed 7 million US dollars with a liquidation price of $0.4.
In the past 6 hours, Egorov has added about 10 million CRV as collateral to both AAVE and Abracadabra.
Repayment Frenzy
To avoid being liquidated during sale, Michael Egorov has been repaying his loan debts. Due to his repayment efforts, the new liquidation threshold for Michael Egorov’s loan in Aave has been lowered to $0.37.
Warning
It is known that there is insufficient on-chain liquidity to liquidate Michael Egorov’s position. Last month, DeFi risk management company Gauntlet attempted to freeze Aave’s CRV market, but their proposal was unanimously rejected.
Liquidity in the CRV/ETH pool on Curve has disappeared. The CRV liquidity has dropped even lower than when Gauntlet proposed, and if the position is liquidated, bad debt seems inevitable.
DeFi Overflow
Once bad debt occurs, the insurance funds of lending protocols must be used. For example, Aave will sell AAVE tokens from its safety module to make up for any shortfall, but the sale will reduce the value of the remaining collateral.
Liquidity Impact
Wide volatility and remaining unknown factors will cause many people to remove liquidity from Curve. As liquidity continues to decrease on Curve and other on-chain DEXs, the price will become increasingly unstable.
Lenders’ Withdrawal
Lending institutions are competing to withdraw funds from money market protocols. Aave’s USDT pool utilization has exceeded 50%, and borrowing rates have soared to 91%, putting enormous pressure on Michael Egorov’s position: if the interest rate does not decrease, it will be liquidated within a few days.
Although the damage to the Curve pool may have already occurred, the potential impact of this leverage on DeFi may have just begun. The lending protocols in the CRV market may face some serious risk of bad debt, even if they are not bankrupt.
Related reading: Losses Exceeding $50 Million, A Comprehensive Analysis of the Cascade Attack Incident Caused by Vyper Programming Language Failure
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!
