DECENTRALISED FINANCE IS SERVED ANOTHER WICKED CURVEBALL
[IN CRYPTO | Saturday, 5th August, 2023]
⬆️ UPVOTED: DECENTRALISED FINANCE IS SERVED ANOTHER WICKED CURVE-BALL
All in all, not a great week for crypto, with rugpulls, more litigation from the SEC and yet more hacks. One story in particular really caught my attention this week because of the potential reverberations: it involves a substantial (somewhere in the region of $62m) hack on the Curve Finance platform — which is considered by many to be one of the key pillars of DeFi. Ironically, it wasn’t the hack itself that caused the commotion. Such hacks have become all too commonplace in the world of DeFi. Rather, it was the ripple effects triggered by the hack, which transported many observers back to the sickening heights of the crypto contagion drama of 2022 — causing some of them (including yours truly) to once again question the stability of the entire DeFi ecosystem…
A rising tide floats all boats, so the saying goes. But there’s also another idiom involving tidal ingress/egress in the world of traditional finance, which was first coined by Warren Buffet: you never know who’s swimming naked until the tide goes out.
And this is as true of crypto markets as it is of the world of traditional finance. Indeed, it is arguably more true because of the extreme volatility of crypto markets, coupled to the unbridled appetite for leverage and poor risk management strategies (or in fact in some cases no risk management strategies at all).
But before getting into the story itself, some background…
Ahead of the curve?
Curve Finance is a decentralised exchange (DEX), specifically designed to facilitate (and optimise) the swapping of stablecoins within the Ethereum ecosystem — without the need for financial intermediaries. As such, it is a text book example of crypto’s disintermediation of traditional financial systems. Based on an automated market maker (AMM) architecture, Curve was launched in January 2020 by its founder Michael Egorov. The native CRV token functions as both the governance token for its associated decentralised autonomous organisation (Curve DAO), as well as acting as a utility token for the exchange platform itself.
As the Shrimpy Academy puts it:
Uniswap and Sushi have proven that decentralised exchanges can beat Coinbase and other centralised exchanges at their own game.
But Curve Finance (CRV), a decentralised exchange for stablecoins, demonstrates something different altogether. It enables fast, efficient, and low-friction stablecoin swaps, proving that decentralised currency exchange not only works but is far better than traditional forex.
So far, so good. Curve is seen as a triple-A project within the cryptosphere. And whilst the protocol currently focuses on the swapping of stablecoins pegged to the same underlying currency (still predominantly the U.S. dollar in the world of crypto), I’m sure I don’t need to underscore too heavily how potentially revolutionary such a platform could turn out to be in the fullness of time — i.e. in terms of the modernisation of the international forex (FX) trading market.
The FX market is the largest and most liquid asset market on earth. In terms of a yardstick: the Bank for International Settlements (BIS) reported last year that trading in FX markets reached $7.5 trillion per day. Applying crypto methodologies involving instantaneous settlement and drastically reduced friction in the world of FX trading would appear to me to be a no-brainer — at least on paper.
The hack
Anyway, I digress — back to the hack. Using something called a reentrancy attack, the hacker(s) stole around $62 million from the Curve platform last Sunday. The term "reentrancy" refers to the malicious tactic of repeatedly ‘calling back’ into a vulnerable smart contract before the previous calls have been fully processed, thus enabling the attacker to manipulate the contract's state and gain unauthorised access to funds or resources.
In the case of the Curve exploit, early reports suggest that the attack was made possible due to “malfunctioning reentrancy locks on several versions of the Vyper programming language” (Vyper being a Python 3 derived contract-oriented programming language designed by Vitalik Buterin in 2017 for writing smart contracts on the Ethereum platform).
For me, all of this is an indication of both the immaturity and complexity of the technological primitives and programming languages underpinning much of crypto (perhaps especially so on Ethereum). Hacks of $50m+ (and often considerably more) seem to be an almost weekly affair in the world of crypto. In fact, so frequently do such hacks happen that many people operating in the space seem to have become almost inured to their reporting. There’s a general acceptance that, until all the security flaws are ironed out, it’s simply the cost of doing business.
There was at least one comforting side note to the hack. A ‘white hat’ hacker who goes by the name c0ffeebabe.eth was able to front-run one of the exploiter’s transactions by using a bot — clawing back over $5m in stolen funds, which were repatriated to the Curve protocol.
Apparently, however, shortly thereafter, using the same Vyper exploit, a handful of other DeFi project pools were also hacked — including PEGD’s pETH/ETH ($11 million); Metronome’s msETH/ETH ($3.4 million); and Alchemix’s alETH/ETH ($22.6 million). This would perhaps suggest a coordinated campaign rather than a lone wolf — either that or a free-for-all on the dark web.
The morning after the night before
This is where the story gets really interesting.
Typically, the founders of large crypto projects like Curve Finance lock their tokens up in a vesting schedule at project launch in order to reassure early investors that they’re not pissing into the wind when they invest their money. Obviously, if you’re buying a token that is subsequently being heavily sold-off by its founders, then you’re effectively functioning as their exit liquidity. And nobody likes being someone else’s exit liquidity, least of all savvy investors — hence the practice of implementing strict vesting schedules, which are typically (although not always) written into smart contracts for the sake of transparency and immutability.
This means that the founders of projects like Curve are often stupendously rich on paper (if their protocols succeed, as is the case with Curve) — but without any means of converting a serious chunk of their net worth into hard cash until some agreed-upon point in time in the distant future. And when your net worth is hundreds of millions of dollars in digital zeros and ones but you’re still driving around in a beaten up old station wagon and living in a suburban two-up, two-down? Well… it all becomes a bit of a drag.
So what do these founders do? Do they wait for the pay out and in the interim cut their cloth according to their measure? Hell no, of course they don’t! This is crypto after all! Instead, they use their crypto assets as collateral to take out massive loans so they can start living well beyond their current means.
Now, I’m not here to judge. And this is something the wealthy have been doing since time immemorial (using existing assets to over-collateralise loans), so it’s not exactly a revelation as far as the practice itself is concerned. In fact, it’s quite a tax efficient way to operate.
But the risks of using highly volatile crypto assets as collateral should be immediately obvious, especially if you’re using decentralised protocols — where there is nobody you can pick up the phone to speak to when the tide suddenly goes out and you’re caught short, trying to find someone to throw you out a towel to protect your modesty.
Crypto Banter’s
Substack newsletter picked up on the story:The world of DeFi is experiencing some intense moments surrounding the events at Curve Finance!
Turns out, the founder, Michael Egorov, took a risky $100 million loan to purchase a mansion in Australia using nearly half of the supply of $CRV tokens as collateral. Unfortunately, the current price of $CRV is hovering dangerously close to a level that could spell trouble for him (and Curve Finance). The interest rate on his debt from Fraxlend has skyrocketed to a jaw-dropping 81.20%, doubling every 12 hours.
In response to the situation, Egorov launched a new Curve pool to attract liquidity and ease the pressure. However, the outcome of this situation could have significant implications for the entire crypto market, as Curve Finance is one of the largest and most interconnected protocols in DeFi.
Link to full story here.
Did we dodge a bullet?
It’s still unclear to me as I write whether or not the remedial actions taken by Egorov last week in the immediate aftermath of the hack have been enough to avert the worst case scenario from playing out. It looks that way for now, but I wouldn’t bank on it. I’m guessing there’s still a chance this could yet unravel, with potentially destructive implications for the wider DeFi ecosystem and the digital asset space more generally. For now, however, things seem to have calmed down. Egorov has offloaded some of the protocol’s liquid crypto holdings over the counter (OTC) at favourable rates to restructure some of his debts, and the price of $CRV has stabilised above the danger line (the equivalent of the ‘margin call’ territory) post-hack.
But the whole fiasco demonstrates the supreme interconnectedness of everything within the DeFi ecosystem in spite of all the focus on its decentralised credentials —and for me it highlights the fact that an infrastructure or a system is ultimately only ever as strong as its weakest component. And in the case of crypto, as with so much else, the weakest component often involves human beings and the things that motivate them. Perfect storms - or black swans - will happen. That’s about the only thing you can be certain of.
Conclusions?
There’s been a trope floating around recently - since Chainalysis published a report concerning the decreasing number of hacks within DeFi this year compared to last year - that DeFi has somehow emerged (vainglorious) from the carnage of 2022, significantly stronger and sufficiently battle-tested, prepped and fluffed-up, ready to head for the main stage and prime time.
I questioned that trope when I first started hearing it, and this most recent incident has only acted as confirmation for me. Yes, DeFi hacks are down, and many of the gaping wounds at the infrastructure level - involving the vulnerabilities of cross-chain bridges, for example - have arguably been patched up. The benefit of this ongoing (free market) process is that mistakes and vulnerabilities seldom go unpunished — hence the entire ecosystem gets stronger and more resilient over time as a result.
However, I think the Curve Finance story clearly illustrates that there may still be further egregious reckonings and shocks to come for DeFi (and ultimately therefore a long way to go) before it can be considered ‘mission-critical’ infrastructure or truly ready for prime time.
And in the interim, as ever, the only infallible way to know for sure that your crypto belongs to you and that you are not exposed to unquantifiable counterparty risks - especially when the tide rapidly retreats and people are left scrambling for their towels - is to hold onto your crypto yourself, in self-custody.
THE BALD RUGPULL AND THE SBF CONSPIRACY THEORY
Only in the world of crypto could such a headline make any sense whatsoever. Crypto Twitter was set ablaze this week with an outlandish conspiracy theory involving crypto’s arch nemesis Sam Bankman-Fried (SBF)…
Whilst more level-headed pundits have pointed out that SBF does not have unfettered access to the tools required to engage in such a scam, some would argue there’s no smoke without fire. And there certainly were more than a few raised eyebrows. I for one will definitely be following this story with great interest as it unfolds…
In brief:
After a mystery developer pulled all of the liquidity out of the BALD meme coin on Ethereum layer-2 network Base on Monday, some blockchain watchers say the wallets being used by the culprit point toward former FTX CEO Sam Bankman-Fried—currently under house arrest and with limited access to the internet.
“[The] BALD dev is like 90% SBF or an Alameda person at this point,” Cinneamhain Ventures partner Adam Cochran tweeted, noting that the same wallet address was also involved in the SushiSwap community years ago.
“The early votes on sushi governance are super sus,” Cochran observed. “When [SushiSwap creator Chef] Nomi bailed and community stepped in there weren’t tons of us around and SBF was the one posting to snapshot votes.”
Bankman-Fried was credited with rescuing funds from Uniswap, moving them to SushiSwap in September 2020.
Link to full story: https://decrypt.co/150780/bald-token-liquidity-rug-pull-linked-to-sam-bankman-fried
SEC SUES RICHARD HEART
The SEC is not exactly flavour of the month in crypto circles with its enforcement actions and lack of regulatory clarity… but then again neither is Richard Heart, who is widely regarded as a con artist.
In brief:
The U.S. Securities and Exchange Commission (SEC) sued internet marketer Richard Schueler, known online as Richard Heart, and his projects Hex, PulseChain and PulseX, alleging he raised over $1 billion across three different unregistered securities offerings beginning in 2019.
Heart also defrauded his investors, the SEC alleged in a lawsuit on Monday, by using investor funds for personal goods.
"Heart continually touted these investments as a pathway to grandiose wealth for investors, claiming that Hex, for example, 'was built to be the highest appreciating asset that has ever existed in the history of man,'" the lawsuit said. "... Although Heart claimed these investments were for the vague purpose of supporting free speech, he did not disclose that he used millions of dollars of PulseChain investor funds to buy luxury goods for himself."
PulseX and PulseChain launched earlier this month, but faced rocky starts in the weeks immediately after going live, seeing high fees, liquidity issues and exploitable bugs. The prices of the HEX, PLS and PLSX tokens fell post-launch.
Link to full story: https://www.coindesk.com/policy/2023/07/31/us-sec-sues-richard-heart-hex-pulsechain-on-unregistered-securities-fraud-allegations/
BITCOIN’S ROLE IN THE ESG IMPERATIVE
Last week, I mentioned in passing that the energy credentials of Bitcoin were non-binary. Most are familiar with the existing ESG narrative surrounding Bitcoin — that it’s a basically a gas guzzler. But the more you scratch the surface, however, the more intriguing things become. Which is why this story caught my eye: KPGM has just published a report entitled “Bitcoin’s role in the ESG imperative”.
In brief:
In its recent report titled ‘Bitcoin's role in the ESG imperative‘, Big Four accounting firm KPMG has shared what appears to be a glowing review of the asset and the role it plays in Environmental, Social, and Governance (ESG) initiatives.
“Bitcoin appears to provide a number of benefits across an ESG framework. Throughout its short history, new and innovative ways of leveraging the network and its native asset continue to emerge, such as helping to stabilise energy grids, reduce greenhouse gas emissions, and even assist with providing sustainable heat to commercial and residential properties.”
This conclusion is particularly notable, as Bitcoin's alleged environmental impact and lack of social value are often the first points of contention with the asset when speaking to detractors of the world's largest digital asset. So why did KPMG come to a different conclusion?
Link to full story: https://www.securities.io/bitcoin-provides-a-number-of-benefits-across-an-esg-framework-says-big-four-accounting-firm-kpmg/
Direct link to KPMG report (PDF): https://advisory.kpmg.us/content/dam/advisory/en/pdfs/2023/bitcoins-role-esg-imperative.pdf
WELLS FARGO ANALYST PREDICTS RIPPLE XRP PRICE COULD RISE TO $500
I’ve been following XRP (and the SEC v. Ripple case) for quite a while now. So this story caught my eye. It’s been scoffed at by many in the cryptosphere this week — but I like to keep an eye on outliers. And in many respects, I prefer to see someone going out on a limb rather than engaging in group think.
In brief:
Wells Fargo specialist Shannon Thorpe predicts Ripple XRP price could range between $100-$500 in 4-7 months.
Thorpe suggests that if Ripple wins 30% of SWIFT's daily transactions, XRP's daily use could rise to $2.1 trillion.
If XRP reaches $500, the asset's liquidity could rise to $25 trillion, surpassing JPMorgan’s daily SWIFT volume.
Thorpe argued that current prediction models for XRP are flawed because they do not consider external economic conditions when making predictions about the wider adoption that could drive XRP’s price.
Thorpe said that a comparison with the international settlement system, SWIFT, offers a sobering window into the potential of XRP. Assuming Ripple wins 30% of the $7 trillion SWIFT processes daily, its everyday use would spike to $2.1 trillion.
Link to full story: https://beincrypto.com/wells-fargo-xrp-forecast-reach-500/