DeFi week selection 丨 Ethereum's DeFi ecosystem ushers in an explosion period, but the issue of contract loopholes is still cause for concern

In this issue:

  1. One-week DeFi data: ETH and EOS currency prices have increased, and the total value of DeFi lockups has reached 1.29 billion US dollars
  2. Andreessen Horowitz General Partner: Blockchain is a computer that can make promises
  3. The evolution of the Ethereum decentralized exchange (DEX)
  4. DeFi Risks from Curve's Deadly Contract Vulnerability
  5. DeFi golden sentence of the week
  6. DeFi project progress in one week
  7. to sum up

According to data from 34 Defi projects counted by dapptotal, the current Defi Ecology total lock-up funds amounted to USD 1.29 billion, an increase of 11.88% year-on-year, of which Maker USD 4868.6 million, accounting for 36.35%, and EOSREX 290 million US dollars, accounting for 22.49%. 4

In terms of the amount of lock-up, the current ETH lock-up amount of the Defi Ecology is close to 4.03 million ETH, and the growth has slowed down. It can be seen that the recent increase in the Defi Ecological Lockup Fund is mainly caused by the rise of the currency price.

5

(The lock-up amount of most Defi projects has increased by more than 10% year-on-year, which is mainly caused by the increase in the price of ETH and EOS)

Andreessen Horowitz General Partner: Blockchain is a computer that can make promises

Original author: Chris Dixon

Traditional computers are ultimately controlled by people, such as directly by individuals, or indirectly by organizations. The blockchain overturns this power relationship and makes the code responsible for management. The game theory mechanism (so-called consensus mechanism) enables the blockchain to flexibly modify its underlying physical components, thereby effectively enabling it to resist human intervention.

The result is a properly designed blockchain whose code can provide strong guarantees for its operation. As a result, computer systems can truly achieve autonomy. They are managed by code, not humans.

Computers that make promises are useful in finance. The most famous example is Bitcoin, which makes a variety of promises, including a total amount that will never exceed 21 million BTC. This promise makes Bitcoin scarce and therefore has certain value. Without a blockchain, this commitment may be made by an individual or a business, and it is unlikely that others will trust this commitment, because people and businesses can constantly change their minds. Before the advent of Bitcoin, with the exception of naturally rare precious metals, the only reliable promise of currency scarcity came from the government.

Ethereum is the first blockchain to support a common programming language, which allows the creation of arbitrarily complex and committed software. Two early applications based on Ethereum are Compound and MakerDao. Compound promises that it will act as a neutral, low-fee loan agreement, while MakerDao promises to maintain the price stability of Dai currency, which can be used for stable payments and value storage. As of today, users have locked hundreds of millions of dollars in these applications, which proves the credibility of their promises.

Applications like Compound and Maker can do things that are not possible with non-blockchain software, such as having code to hold funds. This eliminates sources of trust beyond code and makes the system end-to-end transparent and extensible. Blockchain applications can do this work autonomously, and everyone involved in creating these projects can disappear, while software can continue to do what it does and fulfill its promises indefinitely.

The blockchain comes at the right time.Internet services have become the center of our economic, political and cultural life, but the trust between users and the people who run these services is breaking down. At the same time, industries such as finance, which traditionally rely on trust, have resisted modernization.

The next few years will be exciting, and we have only just begun to explore the maze of ideas opened by this new type of computer.

Original link: https://cdixon.org/2020/01/26/computers-that-can-make-commitments

The evolution of the Ethereum decentralized exchange (DEX)

While the world is waiting for Ethereum 2.0, many Layer 2 solutions can already help the existing PoW Ethereum blockchain.

Although the current experience of the Ethereum DeFi ecosystem is very slow, it has succeeded. Yes, Oasis or Compound has a much slower user experience than Bank of America, but speed is not where DeFi is better than its traditional competitors. Similarly, the PoolTogether and Set protocols do not require 100 tx / s performance, and design innovation depends on the composability of DeFi.

Decentralized exchanges (DEX) are different. So far, the success of DEX can be attributed to the same attributes described above, but speed is still the most important factor for any trader, and in this regard DEX is far behind the centralized exchange.

Last fall, several DEX teams launched their own capacity expansion research programs.

As of now, there are mainly 4 types of DEX expansion plans in the Ethereum ecosystem. Their representatives are:

  1. Uniswap
  2. IDEX
  3. Loopring
  4. 0x & DeversiFi

Before proceeding, let's give a simple explanation about Layer 2 capacity expansion technology, especially rollup. Here is the IDEX statement:

"There are two key costs to processing transactions on the Ethereum platform: data and calculations. All rollup solutions achieve capacity expansion by having calculations processed off-chain and pushing the results of the calculations into the network in the form of Merkle roots. "

In essence, the rollup scheme is to batch process hundreds or hundreds of transactions off-chain, and then use a single transaction to update on the Ethereum main chain. By pushing signature verification and calculation away from the main chain, the rollup scheme can reduce the size of transaction data stored on the main chain.

Although the Ethereum main chain currently can only process 10-15 transactions per second, rollup can process up to 2000 transactions.

Uniswap is working with Optimism (formerly Plasma Group) to explore Optimistic Rollup technology. It demonstrated a demo version of the Unipig product at Devcon in Osaka. The result was about 200 transactions per second.

IDEX released version 2.0 in November last year. It is also based on the Optimistic Rollup design. However, unlike Uniswap, which publishes header information of all aggregate transactions to the Ethereum mainnet, IDEX ’s Optimistic Rollup solution is only for block This is done only when there is a challenge to effectiveness, which greatly speeds up because it has no limit on the number of aggregated transactions, but it does slow down withdrawals and is more dependent on the security of the IDEX external node network.

Loopring 3.0 is the first and only ZK Rollup DEX protocol on the Ethereum mainnet. Compared to the design of optimistic Rollup, ZK Rollup generates zero-knowledge proofs for all aggregated transactions and then publishes them to the Ethereum main chain. The zero-knowledge proof selected by Loopring is exactly the zkSNARKs used by ZCash. In this case, Loopring's external node system has issued a proof to the Ethereum main chain, proving that it has batch processed and executed valid transactions off-chain. As we all know, using zkSNARKs means a one-time trusted setup or ritual.

Both 0x & DeversiFi have announced plans for the zkSTARKs Rollup expansion solution. And zkSTARKs is also a form of zero-knowledge proof, but it is different from zkSNARKs. ZkSTARKs does not require credible settings. It can theoretically be extended to a maximum of 2000 tx / s, but has not yet been tested, that is, this type of The plan is not available in the short term.

In addition, zero-knowledge proof schemes like SNORKs, PLONK, SuperSonic, Halo, and Marlin may all be introduced into the ZK Rollup scheme.

Author: Chris Powers

Original link: doseofdefi.substack.com

DeFi Risks from Curve's Deadly Contract Vulnerability

Although the DeFi industry is full of hope, we need to remind ourselves at all times that this is a nascent industry. We are exploring a previously unknown field. Therefore, this journey may sometimes be dangerous, but it is also exciting. .

For example, the DeFi project Curve's contract has just been found to have a fatal loophole that allows anyone to run out of funds in the smart contract. Fortunately, this vulnerability has not been exploited by the attacker, and the project party has also repaired it in a timely manner it.

The original author MICHAEL EGOROV wrote:

"This vulnerability is not easily captured. It is hidden deep in the Curve algorithm. According to the unpublished white paper, the solution of the main equation describing the connection between balance and invariants is given by:

1

The product of all the balances i in this method is not equal to j, where x_i is the "inflow" balance and x_j is the "outflow" balance. If everything does not include the "outflow" balance (for the constant c), then multiply x_i by Everything else (except part j) to calculate the product.

When we replace the i-th asset with the j-th asset, this is not a problem, but what if i == j? Here comes the problem.

2

When i == j is not considered, and an exchange of an asset is submitted to the same asset, this asset is essentially consumed. Anyone can do it.

So, what action should be taken in this case?

One way is to declare a loophole and allow participants to withdraw funds quickly. However, this may get too much attention from black hat hackers, who will then grab action before users.

Another method is to attack the contract as a white hat, drain it, and bring the funds back to the liquidity provider. The problem is that some preemptive trading robots look for lucrative transactions (not just hacking transactions, but also arbitrage transactions) and automatically execute competitive transactions. There is currently no good solution for this situation.

Apart from requiring all limited partners (LPs) to withdraw or transfer funds, the contract does not have any termination switch or upgrade capabilities (which may give the company too much power).

It is not possible to contact all LPs in private, because Curve's growth is very rapid.

In this case, Curve decided to deploy a new version of the contract, which includes updated and better parameters, and other good changes, but the project party did not publicly disclose the problematic fix on github, or at least transfer funds in LP This should not have been done before.

After the deployment of the new contract and UI, more than half of the funds were transferred before the loopholes were officially announced, and the remaining funds migration took 3 days.

In short, contract issues were fixed. The audit of this repair contract will be carried out at the end of January.

Although the situation is well handled, you need to be extremely careful about unaudited contracts. Before the audit, you can only deposit the losses you can afford.

Curve would like to thank Sam Sun for discovering the vulnerabilities and helping to deal with the situation. Vulnerability rewards were provided by Robert Leshner (Compound), Lev Livnev, Julien Bouteloup (Stake Capital), and Richard Burton.

" Original link: https://blog.curve.fi/vulnerability-disclosure/

DeFi golden sentence of the week

  1. "Telling people what DeFi is all about, and giving them some eth, helping them convert it to Dai, and letting them implement it on DSR and Compound, is the point."-Viktor Bunin, Bison Trails protocol researcher
  2. "Almost all DeFi smart contracts that can store your funds have a management key. If these management keys fall into the wrong hands, they may be used maliciously. It is difficult to know how these keys are protected, And you should know this information, this is the work I'm organizing. "-Chris Blec
  3. "Imagine if the Ethereum 1.x group and the Ethereum 2.0 shard group cannot get along, the price of ETH1.x and ETH2.0 will be half and half, and each ETH mortgage position will be liquidated on these two chains, at least All asset-backed tokens (USDC, etc.) on one of the chains will return to zero. All Dai will disappear, and DeFi will disappear. "——Eric Wall
  4. "DeFi has a data availability gap that no one is talking about. Ethereum data is public, but getting data from it is difficult. Even for an engineer, this work is messy and time-consuming." -Ganesh Swami, Covalent Founder
  5. "Can you let a bank open an account for $ 1 and enjoy an annualized interest rate of 7.75% without withdrawal limits or fines? This is not a problem for DeFi, and it is one of its most underrated aspects." —— DeFi Pulse
  6. "I know that I am a minority on this issue, but every time I see someone saying that defi can enable you to achieve a paperless loan, I still feel embarrassed …"-Vitalik Buterin, co-founder of Ethereum

DeFi project progress in one week

  1. OasisDEX contract will be updated on February 8 ;
  2. Cryptocurrency accounting startup Gilded launches open financial platform for businesses ;
  3. Compound is upset that DeFi startup dForce has stolen its copyright-protected code ;
  4. dForce introduces revenue enhancement agreement ;
  5. Chainlink releases DeFi price reference data ;
  6. Cosmos launches its first DeFi project ;

to sum up

At present, the total value of the Ethereum Defi ecological lock-up has exceeded $ 900 million. In the short term, this data is expected to exceed the $ 1 billion mark. The most critical factor is actually the price of ETH. As the user experience of the Defi application improves, more and more users will participate in Defi. However, the recently exposed loopholes in the Curve contract have also sounded the alarm for every participant. Defi looks beautiful, but in the early stages, you need to do your best.