🟣 Navigating Sharp CRVs

Another day, another DeFi hack. Not feeling very GM today.

Happy Monday, Blockworks fam! Another day, another DeFi hack. Not feeling very GM today.   Yesterday, Curve Finance—one of the largest DEXs focused on stablecoin swaps—was hacked. Four of its pools on Ethereum were affected, namely the pools of CRV, alETH, msETH, and pETH, all paired with ETH. In addition to these pools, Tricrypto on Arbitrum which currently has a TVL of ~$19.4M might be exploitable. All other pools are now safe, according to Curve, but the accuracy of this statement is still up for debate.    The exploit was performed through a malfunctioning reentrancy lock related to a Vyper bug. More specifically, pools containing pure ETH and using Vyper 0.2.15, 0.2.16, and 0.3.0 have been drained or recovered by white hats. Vyper is the programming language used for multiple Curve contracts, an alternative to Solidity. A reentrancy attack happens when a smart contract function momentarily relinquishes control flow of a transaction by initiating an external call to another contract that is usually written by a malicious entity. This allows the secondary contract to perform a recursive call back to the main smart contract function, leading to the depletion of its funds.   All in all, over $70M worth of tokens have been drained. It's important to note that some tokens were drained by whitehat hackers and automated MEV bots, meaning that not all drained tokens are necessarily lost. For example, the famous MEV account c0ffeebabe.eth has already returned ~2.9K ETH that was initially drained from the CRV/ETH pool. The first attack on Curve involved exploiting the pETH/ETH liquidity pool for over $11M, but this may have been front-run by a MEV searcher.   To prevent hackers from swapping alETH for native ETH, Alchemix has disabled several of its contracts. The project enables users to access future yield and utilizes a synthetic Ether derivative, alETH, which the underlying ETH backs. The Curve hack drained ~5K ETH that was backing alETH, meaning the synthetic asset is currently undercollateralized. Accordingly, alETH is trading at ~$1.6K compared to ETH's price of ~$1.9K, which means that the market-implied under-collateralization is at ~15%.   CRV is down ~12% within the past 24 hours, currently trading at ~$0.64, which has reraised concerns regarding a ~$70M Aave v2 loan taken out by the Curve Finance founder Michael Egorov against CRV. The loan defaults if CRV decreases to ~$0.38. At that price, ~$115M worth of CRV would have to be liquidated, which the protocol would struggle to do, leaving it with bad debt. A few hours ago, Egorov's wallet borrowed ~$3.5M worth of USDT from Aave and swapped it against FRAX, which was used to pay down a loan on Fraxlend, leaving the loan at a size of ~$18M FRAX. In exchange, the wallet received ~$7.6M worth of CRV that was used as collateral, which was then deposited into Aave v2 to decrease the ~$70M loan's liquidation price.    The exploits are an excellent reminder that even established protocols can have vulnerabilities in their code. Nevertheless, the event is still ongoing, and it's definitely worth closely following how things develop going forward.   – Brick   Okay ladies and gents—Permissionless II is coming up in mid-September.   We would love to see you all join the Blockworks family in Austin, TX, for the world's largest DeFi event of the year! Don't FOMO in before it's too late. FOMO in now. More information and tickets can be found here. Coinbase's rollup—Base—was launched for developers on July 13. Despite users currently only being able to bridge into the rollup, not out, Base experienced massive transaction growth over the weekend. On Sunday, daily transactions grew by ~2,800% day-on-day to ~611K, while the user count increased by ~755% to ~55K.    This was started by the launch of the meme token BALD, which has attracted a massive amount of attention. The token began trading on Jul 29 at below $0.00001 and reached a price of ~$0.085, a gain of over 8,500x in less than 24 hours.    The token has had ~$109M of volume within the past 24 hours. Within the same timeperiod, LeetSwap, which is the main trading avenue on Base, has seen ~$240M of volume, making it the fourth-largest DEX by daily volume across all chains after Uniswap, Curve, and Pancakeswap. A few hours ago, BALD's price crossed $0.09, implying a market capitalization of over $90M. However, not long after, it seems that the BALD deployer rugged as it removed almost all of the liquidity from the pool. There is currently ~$20K of liquidity left in the pool. Accordingly, the price quickly fell massively, and BALD currently trades at ~$0.004.   Investors speculate that meme coin volume will remain extremely high on the rollup since funds can't yet be withdrawn, and there is nothing else to do on the chain. Maybe this will create a robust meme coin landscape on Base, which could be strengthened further if Coinbase onboards retail traders through the chain and allows them to trade without restrictions.  Decentralization from first principles — Polynya The write-up argues that public blockchains' goals are: corruption- and censorship-resistance, as well as permissionless access, and discusses how solutions to these could be improved.   Opportunities and Considerations of Ethereum's Blockspace Future — Drew Van der Werff & Alex Matthews The article discusses the open design space for blockspace derivatives and selling future blockspace.   ZPU: The Zero-Knowledge Processing Unit — Ingonyama The blog post proposes the Zero Knowledge Processing Unit, a hardware accelerator designed to address performance overhead problems associated with zk-proofs. Maverick Protocol: Dynamic Distribution Magic Maverick is a multichain DEX that introduces liquidity automation strategies and Boosted Positions to separate itself from competitors. Read More → The ZK Stack: A Network of Composable L2s and L3s zkSync's framework for developers to create customizable execution environments with async composability makes for an extremely promising solution to scaling Ethereum. Read More → Curve suffers $70M exploit, but damage contained Code bug leaves four Curve Finance pools vulnerable to theft of over $70 million, but all other pools now safe, spokesperson says Read More → SEC accuses crypto influencer Richard Heart of securities fraud in new lawsuit The SEC targeted the unregistered sale and offering of crypto asset securities Read More → The insights, views and outlooks presented in the report are not to be taken as financial advice. Blockworks Research analysts are not registered broker/dealers or financial advisors. Blockworks Research analysts may hold assets mentioned in this report, further outlined in the Firm's Financial Disclosures. 133 W 19th St, New York, NY, 10011 Manage your email subscription preferences here.