Decentralized finance (DeFi) is reeling from a recent spate of attacks on several key platforms on Sunday.
Some $70 million was stolen in total this weekend, including from Curve Finance, one of the most-used and influential decentralized exchanges, MetaMask developer Taylor Monahan estimated. Lending protocol Alchemix, yield platform Pendle and synthetic asset tool Metronome were all also hit, along with the decentralized NFT protocol JPEG.
In response, DeFi lenders began pulling funds out of other DeFi platforms including Aave, spiking borrowing fees across the specialized financial subsector, The Defiant reported.
Things undoubtedly could have been worse. In a something of a twist, white-hat hackers were able to remove assets from a few lending pools on Curve to prevent their theft. Moreover, three out of the five total malicious attacks were apparently "front run" by MEV (maximal extractable value) experts. MEV is a controversial, but unstoppable aspect of how public blockchains work, which allows third-parties and automated machines to search out and reorder unfinalized transactions waiting in the mempool for profit.
Coffeebabe.eth is responsible for reversing at least two of the malicious attacks by frontrunning the transactions, which may have been committed by multiple unconnected hackers. Chainlink, the on-chain data provider (aka "oracle" system), is also receiving some praise for preventing sector-wide collateral damage in the attack – but seemingly in a roundabout way. Had platforms like Aave or other DeFi lending protocols used the (now drained) CRV/ETH Curve pool as an on-chain oracle, they would have gotten completely rekt with bad debt," LINK Marine ChainlinkGod tweeted. True enough, but maybe a tautology.
The nature of the attacks is apparently rooted in vulnerabilities found in a programming language called Vyper used specifically to launch smart contracts on Ethereum. The programming language's core team – which was backed by the Curve team – announced that older versions of Vyper were vulnerable to "reentrancy" attacks. It could take days, weeks or months to truly understand what went wrong, though Vyper reps have said projects that use versions 0.2.15, 0.2.16 and 0.3.0 should reach out.
Hacks in the world of crypto are not exactly like hacks elsewhere. It's increasingly common for attackers to return stolen funds, which are, by nature, always traceable on the blockchain, which can make it incredibly difficult for people to spend the tainted money or cash out anywhere without the entire world knowing about it. You'd think this would mean that attacks would be less common in crypto – but that is apparently not the case. Just today, security audit firm CertiK claimed that crypto users have lost at least $303 million from exploits in July 2023 alone.
While the technical aspects of the attacks are still being worked out, and the total fallout isn't yet known, there may be at least one clear takeaway. In the days following the announcement of UniswapX, a new product from the team behind the most popular decentralized exchange Uniswap, which would essentially use off-chain mechanics to execute trades thereby saving Uniswap users in transaction fee costs, there has been talk about the future of DEXes. Apparently the world is moving in this direction: Cowswap and 0x and a bevy of protocols including now UniswapX are all using "best execution" models that take some aspects of crypto-trading off-chain.
To some extent, this brave new world of crypto trading makes sense. In any market where competitors have to innovate to attract users, costs will always trend to zero. Crypto traders have also demonstrated that'd they would often be willing to trade in some of the assurances of fully on-chain crypto for better prices, faster transactions or just a leg-up – and that is exactly what happens when you take some of the order book process behind the veil of a proprietary trading algorithm supposedly working in your favor. The fellows on "The Chopping Block" discussed all this in their most recent podcast.
But, in light of this recent black eye for DeFi, considering that even on-chain trade execution can apparently go so wrong, doesn't it seem like an outsized risk to take out the only benefit that blockchain brings to commerce: immutability and transparency? I don't know what the future of blockchain holds, but I'm increasingly told that it will not look like the familiar world of AMMs (automated market makers), but something more programmatic and automated. Maybe that will come to pass, but you'd think people would want to work out the kinks of crypto first.
– D.K.
@danielgkuhn
daniel@coindesk.com
Major $70M DeFi Hack Hit Curve, Others