Latest developments in the Curve incident Has the crisis been resolved? Does the founder have to sell coins and pay off debts?

Curve incident Crisis resolved? Founder selling coins to pay off debts?

Author: GaryMa Wu on Blockchain

Recently, the Curve protocol suffered from a bug in a specific version of the Ethereum programming language Vyper, resulting in funds being stolen from four pools. In addition, the founder of Curve used a large amount of CRV as collateral for borrowing on multiple lending platforms, putting CRV at risk of potential liquidation. This article will help readers understand the current situation and potential solutions to both the bug crisis and the CRV crisis.

Bug Crisis: Resolved, Some Funds Recovered

The vulnerability in Curve was caused by a bug in several specific versions (0.2.15, 0.2.16, and 0.3.0) of the Vyper programming language for Ethereum, which resulted in the failure of reentry lock protection.

The affected pools and the corresponding stolen amounts are as follows:

• OP Research Sociology Experiment of Currency and Global Citizens
• Exclusive Interview with 1inch Co-founder How does 1inch gradually innovate to grab food from the horse’s mouth in the liquidity battle?
• Extensive Article The Iron Curtain of Regulatory Control in the United States Has Fallen, What Tomorrow Will Crypto Face?

• pETH/ETH | 6,106.65 WETH (~$11m)
• msETH/ETH| 866.55 WETH (~$1.6m) and 959.71 msETH (~$1.8m)
• alETH/ETH|7,258.70WETH (~$13.6m) and 4,821.55 alETH (~$9m)
• CRV/ETH | 7,193,401.77 CRV (~$5.1m at the time of theft), 7,680.49 WETH (~$14.2m), and 2,879.65 ETH (~$5.4m)
• Additionally, Tricrypto (USDT+WBTC+ETH) on Arbitrum is also affected, although there is currently no profitable attack. The funds are secure, but users are advised to withdraw their funds.

The deposit and collateral functions of the first four affected pools have been disabled and delisted from the pool interface. The Curve team will stop CRV emissions for these pools and create new pools for alETH, msETH, and pETH. The new pools will be paired with WETH or implemented using other new ETH pools. As for CRV, a new Tricrypto pool has been formed by pairing it with crvUSD+ETH, eliminating the vulnerability to reentry attacks.

The main affected pools are those five pools that used the specific Vyper versions mentioned above and were paired with native ETH. Other pools on Curve are fundamentally safe and unaffected. Therefore, once the affected pools are abandoned and new pools are created (paired with WETH or compiled with a secure version of Vyper), the Curve bug crisis can be considered resolved (assuming the new Vyper version has no unknown vulnerabilities, lol).

As for the stolen funds, Mev Bot deployer c0ffeebabe.eth has already returned 2,879.54 ETH. @zachxbt, an on-chain detective, seems to have identified some potential suspects for the remaining stolen funds, and there is hope for recovering some of the funds and mitigating the losses for the victims.

CRV Liquidation Crisis: Highly Likely to Be Resolved, OTC Selling to Repay Debts

The CRV liquidation crisis mainly stems from Curve founder Michael Egorov’s collateralized borrowing on platforms such as Frax Finance and Aave.

Although the on-chain price of CRV briefly plummeted to around $0.08 after the vulnerability incident, the instant price drop would not trigger the liquidation mechanisms of these borrowing platforms due to the weighted mechanism of referencing multiple data sources. Despite the strong bearish sentiment in the market towards CRV, the price of CRV has generally remained stable above $0.5, while Michael Egorov’s liquidation price on Frax Finance and Aave remains around $0.35 in the short term, indicating a buffer space of about 30%. So, the crisis does not seem so urgent, does it?

The pressure mainly comes from the debt position in Fraxlend: as Fraxlend implements time-weighted variable interest rates, this position actually poses a greater risk to CRV. At 100% utilization in Fraxlend, the interest rate doubles every 12 hours and is expected to reach a maximum of 10,000% after 3.5 days. This extremely high interest rate could eventually lead to the liquidation of Michael’s position, regardless of the price. With a maximum LTV of 75%, the liquidation price of the position would reach $0.517 within 4.5 days.

However, at present, Curve founder Michael Egorov seems to have found a way out, which is to “sell CRV through OTC transactions to repay debts”.

According to @EmberCN’s monitoring, Curve founder Michael Egorov has sold a total of 54.5 million CRV, obtaining $21.8 million in funds. The buyers of these CRV include DWFLabs (12.5 million CRV), Justin Sun (5 million CRV), Li Cheng Huang (3.75 million CRV), Cream.Finance (2.5 million CRV), with an average price of $0.4.

As of the time of writing, the borrowing positions of Curve founder Michael Egorov on various lending platforms are roughly as follows:

• Supplying 257.44 million CRV on Aave v2, borrowing 49.25 million USDT, with a liquidation price of approximately $0.35.
• Supplying 38.6 million CRV on Frax, borrowing 9.19 million FRAX, with a liquidation price of approximately $0.3.
• Supplying 46.65 million CRV on Abracadabra, borrowing 12 million MIM.
• Supplying 29.1 million CRV on Inverse, borrowing 7.7 million DOLA.

In addition, the liquidation pressure on CRV is not only on the borrowers but also on the lending platforms. Now all lending platforms understand that this loan is a time bomb, and if mishandled, it may result in platform bad debts or affect the assets of other platform users.

According to @Loki_Zeng’s description, we can learn about the solutions proposed by various lending platforms as follows:

• The mechanism of Fraxlend is perfect: risk isolation of the lending pool + dynamic interest rates, without any additional measures, Michael needs to actively repay the money.
• Aave maintains decentralized governance but lacks the ability to act agilely: the discussions on the governance forum are relatively sufficient and timely. The consensus reached so far is to reduce the LTV of Curve to 0 and freeze new borrowings. However, other proposals, such as reducing LT (liquidation threshold) and increasing interest rates, still have considerable controversy.
• Abracadabra, on the other hand, aims for efficiency with a slight hint of autocracy: it proposes applying the interest of collateral to the CRV cauldrons strategy, which means all the interest will be directly collected on the CRV collateral in the cauldrons and immediately moved into the protocol treasury to increase the reserve factor of the DAO. Once in the treasury, the collateral can be converted into MIM through on-chain transactions or offline partners.
• Inverse currently has no movement.

In fact, looking back at the whole incident, Curve itself, as a liquidity and trading platform, did not have any obvious faults. Although its fund pool was stolen, resulting in user fund losses, the essence of the vulnerability lies in the Ethereum programming language Vyper. As for the liquidation crisis that caused the decline in CRV price, it was essentially caused by the actions of Michael Egorov himself, who cashed out approximately $100 million in collateral, personally planting a time bomb for CRV and lending platforms. In addition, through this incident, it also serves as a lesson for lending platforms: how to better achieve user fund security isolation and reasonable and efficient liquidation mechanisms?

Related Links:

https://hackmd.io/@LlamaRisk/BJzSKHNjn

其实这次清算危机，四个平台的治理方式和解决方案差异也是挺有意思的。

1/ Fraxlend最开始的机制就是完善的，风险隔离+动态利率，不需要任何额外措施，Michael就需要自己主动还钱。

甚至是从aave那里借更多的钱、OTC卖币也要还，Fraxlend的机制最有效、且最具公平性（事先确定的机制）

2/…

— 0xLoki (@Loki_Zeng) August 2, 2023

https://zapper.xyz/account/0x7a16ff8270133f063aab6c9977183d9e72835428?tab=apps

We will continue to update Blocking; if you have any questions or suggestions, please contact us!