After Curve was attacked: What is the next step for DeFi?

Article Author: Daniel Kuhn

Article Compiled by: Block unicorn

While developers are discussing changes to the existing AMM liquidity model, major platforms including Curve faced a $70 million exploit over the weekend.

Decentralized finance (DeFi) has been thrown into turmoil following a series of attacks on several key platforms last Sunday. According to estimates from MetaMask developer Taylor Monahan, approximately $70 million was stolen over the weekend, including funds from Curve Finance (the most widely used and influential decentralized exchange). Alchemix (a lending protocol), Pendle (a yield platform), and Metronome (a synthetic asset tool) were also attacked, along with the decentralized NFT protocol JPEG.

In response, DeFi lenders began withdrawing funds from other DeFi platforms, including Aave, leading to a spike in borrowing costs within the financial sub-industry, according to The Defiant.

Things could undoubtedly get worse; ironically, white-hat hackers were able to extract assets from several lending pools of Curve to prevent them from being stolen. Additionally, out of a total of five malicious attacks, three were apparently "front-run" by MEV (Maximal Extractable Value) experts. MEV is a controversial but unavoidable aspect of public blockchain operations that allows third parties and automated machines to search for and reorder transactions waiting for confirmation in the mempool to profit.

Coffeebabe.eth managed to reverse at least two malicious attacks by running transactions before the attacks occurred, which may have been carried out by multiple unrelated hackers. Chainlink, the on-chain data provider (also known as an "oracle" system), received some praise for preventing collateral losses across the industry during the attacks, but it seems to have done so in a roundabout way. ChainlinkGod stated on Twitter, "If platforms like Aave or other DeFi lending protocols use the (now exhausted) CRV/ETH Curve pool as an on-chain oracle, they will suffer massive bad debt losses." This statement is accurate, but perhaps a tautology.

The nature of these attacks clearly stems from a vulnerability in a programming language called Vyper, which is specifically used to launch smart contracts on Ethereum. The core team behind this programming language—supported by the Curve team—announced that older versions of Vyper are susceptible to "reentrancy" attacks. Although representatives of Vyper have indicated that projects using versions 0.2.15, 0.2.16, and 0.3.0 should seek help, it may take days, weeks, or even months to truly understand what went wrong.

Hacking attacks in the crypto world are not entirely like those in other fields. The return of stolen funds by attackers is becoming increasingly common, as these funds are essentially always traceable on the blockchain, which may make it very difficult for people to spend tainted money or cash out anywhere in the world while being known. You might think this means there would be fewer attacks in the crypto world—but that is evidently not the case. Just today, security auditing firm CertiK claimed that crypto users lost at least $303 million due to vulnerabilities in July 2023 alone.

While the technical aspects of the attacks are still being resolved and the overall impact remains unknown, there may be at least one clear takeaway. In the days following the announcement of the new product UniswapX by the Uniswap team, discussions about the future of DEXs have been ongoing. UniswapX will essentially execute trades using off-chain mechanisms, saving Uniswap users on transaction fees. Clearly, the world is moving in this direction: Cowswap, 0x, and a batch of protocols including the current UniswapX are all shifting certain aspects of trading to off-chain execution in the future.

To some extent, this brave new world of crypto trading makes sense. In any market where competitors need to innovate to attract users, costs will always tend toward zero. Crypto traders have also shown that they are often willing to sacrifice some of the guarantees of fully on-chain crypto—such as security—for better prices, faster trades, or simply an edge—by allowing a proprietary trading algorithm presumed to be beneficial to handle some of the trading processes. These issues were discussed in a recent podcast episode of "The Chopping Block."

However, given the recent setback in the DeFi space, is it not a considerable risk to undermine the one clear benefit that blockchains bring to business: immutability and transparency, especially when on-chain transaction execution can evidently encounter serious issues? I do not know what the future of blockchain will look like, but I am increasingly hearing that it will not resemble the world of AMMs (Automated Market Makers) as we know it, but will be more programmatic and automated. Perhaps this will come to pass, but one would think that people should first address the issues in the crypto space.