Is Curve helpless in the face of a crisis? A perspective on response strategies from the perspective of DeFi mining.

Curve's response strategies in the face of a crisis A DeFi mining perspective.

Currently, many DeFi asset management teams and individual DeFi Whales are using Cobo Argus to improve DeFi efficiency and strengthen asset security protection.

Original author: Luke (DeFi enthusiast, Cobo Argus product manager)

Original source: BlockBeats

The DeFi world is currently facing a crisis due to the recent attack on Curve. Starting from July 30th, the price of CRV plummeted from 0.74 USDT to below 0.5 USDT. Today, there has been a slight rebound, and it is currently stable above 0.6 USDT. Although it has been determined that this attack was caused by a bug in the old version of the Ethereum programming language Vyper, the crisis faced by Curve has not yet been resolved.

• Uniswap Trading Volume Revealed Robots Account for 70% of Trading Activity
• CertiK Detailed Explanation of Vyper’s $52 Million Loss
• Don’t just focus on the RWA track, the oracle track is also worth paying attention to.

Due to the founder of Curve holding a large amount of CRV for on-chain collateralized lending, if the price continues to fall, it could lead to a massive forced liquidation, resulting in the possibility of CRV price going to zero. As one of the largest protocols in the DeFi field, the latest crisis faced by Curve has once again dealt a major blow to the security and credibility of DeFi, which may have many adverse effects on the future development of DeFi.

Therefore, from the perspective of miners participating in DeFi mining, I will discuss how to prevent potential risks and what feasible solutions and tools can be used in daily DeFi mining.

Background of the Event

First, let’s briefly review the process of the Curve crisis through a timeline.

On July 30th, at 21:34, the pETH-ETH pool on Curve was attacked, and the pETH price dropped to $383. At 22:50, the msETH-ETH pool on Curve was attacked. At 23:34, the alETH-ETH pool on Curve was attacked.

On July 31st, at 0:44, the Ethereum programming language Vyper tweeted that the reentrancy lock in versions 0.2.15, 0.2.16, and 0.3.0 of Vyper is ineffective.

At 0:45, Curve tweeted that due to the reentrancy lock failure, stablecoin pools (alETH/msETH/pETH) that used Vyper 0.2.15 were attacked, while other pools are safe.

At 3:08, CRV-ETH was attacked, and the on-chain CRV fell to a minimum of around 0.08.

At 16:41, Curve tweeted, advising everyone to remove liquidity from the Tricrypto pool on Arb, although it was not attacked, this pool may also be at risk.

As a result of the Curve attack, a large number of abnormal events occurred on-chain. The CRV price plummeted, causing panic that mich’s borrowing positions might be liquidated, leading to users withdrawing liquidity from Aave, and the interest rates of USDC and USDT abnormally increased. The DeFi world is being caught up in a series of associated risks.

Analysis of the Reasons

What makes this security incident special is that it is a bug at the smart contract language level, which has led to the failure of the reentrancy lock defense in some well-known projects. Fortunately, it is Vyper and not Solidity that has the problem, otherwise, the entire DeFi world could have been in jeopardy.

DeFi attracts a large number of users to participate due to its low friction costs, composability, and higher investment returns than the traditional world. However, wallet security and smart contract security have always been the Damocles sword hanging over DeFi.

The recent collapses of well-established protocols such as Euler and Curve have indeed caused many DeFi believers to lose confidence. Once a protocol encounters problems, it often leads to a complete loss of the entire principal. In addition to smart contract risks, there are also phishing risks, private key leakage risks, etc. How to achieve both security and efficiency when participating in DeFi has always been a challenge for the industry.

The Cobo team has been actively involved in the DeFi field for a long time and is known for its emphasis on security. Within Cobo, there is already an internal set of solutions for various DeFi security issues. The Cobo team has now externalized this set of internal solutions and launched Cobo Argus, a solution tailored for the DeFi scenario, which quickly reached a TVL of $100 million after the new version went live.

Response Strategy

Preventing events like the one that happened to Curve last night is almost impossible. For ordinary DeFi miners, they can only rely on discovering problems and taking countermeasures as soon as possible. In this case, if they can make reasonable use of tools like Cobo Argus, it will be of great help. The withdrawal robot feature provided by Cobo Argus can monitor on-chain risk indicators and help users withdraw their funds as soon as anomalies occur.

Next, let’s analyze how to use the withdrawal robot on Cobo Argus specifically for the situation with Curve:

There are two obvious signals when problems occur with pools above Curve:

1. There is a significant decoupling of the pegged assets.

2. Due to hacking attacks and large-scale withdrawal, there is a significant decrease in TVL.

If we use Cobo Argus, we can set up these two monitoring indicators to monitor the proportion of a certain token in the LP pool and compare it with the total amount of funds in the LP pool. This way, we can monitor anomalies in real-time and have the robot automatically withdraw the funds.

In general, most users only find out about the risks of DeFi protocols through warnings from white hats on Twitter. By this time, several hours may have passed since the attack occurred, and there may no longer be an opportunity to save their funds.

However, by using a robot to monitor on-chain risk indicators and automatically withdraw funds when there are risk signals, users can effectively save their assets.

Cobo Argus has launched corresponding withdrawal robots for mainstream protocols and liquidity pools to help users monitor risks and save their funds.

Hacker attacks, token decoupling, loan protocol runs… All kinds of on-chain risk events can be monitored through specific indicators. Cobo Argus also allows users to set up custom robots, custom monitoring indicators, and contract calls triggered by robots.

For expert users with good knowledge of DeFi, they can set their own monitoring values and robot actions, theoretically usable on any DeFi protocol. In the Cobo Arugs community, there have been users who have saved their assets from a loan protocol through custom robots.

All of these functions are decentralized and trustless – robots are operated by Cobo, but robots can only execute DeFi operation permissions authorized by users and cannot exceed their authority to execute other operations. All authorizations are recorded in an immutable smart contract, and the code and authorization records of the contract are fully transparent on the chain and can be audited by anyone.

As a supplement, Cobo Argus’ smart contract is based on the Plugin feature of Safe{Wallet}. Safe{Wallet} is the largest, highest TVL, and recognized as the safest multi-signature wallet in the Ethereum ecosystem. Most DeFi protocols use Safe{Wallet} to manage their treasuries. The Plugin is the latest capability introduced by Safe{Wallet}, supporting third-party developers to extend the capabilities of Safe{Wallet} by writing Plugins.

Cobo has always had a close connection with the Safe{Wallet} team and developed Cobo Argus in the early stages of the Plugin capability. Based on Safe{Wallet}, a series of solutions have been introduced specifically for the DeFi scene:

DeFi Authorization

Specific DeFi protocol operation permissions can be authorized to a single wallet address for execution. Although using Safe{Wallet} and hardware wallets is relatively secure, the process is inefficient and cumbersome, not suitable for frequent DeFi operations, especially when DeFi protocol collapse events occur, this inefficiency and complexity can often be fatal.

By authorizing specific permissions to a single address for execution, efficiency can be improved without compromising security. Because this address only executes the authorized specific operations and cannot exceed its authority or transfer the principal.

Through the authorization function of Cobo Argus, it is possible to avoid phishing attacks, loss of all principal due to hot wallet private key leakage, malicious team members transferring funds, and other situations.

DeFi Robots

Building on the DeFi Authorization feature, Cobo Argus has launched the robot feature, supporting users to authorize specific DeFi protocol permissions to robots for automated operations. For example, automated reward claiming, automatic selling and reinvestment, automatic withdrawal, etc.

Currently, Cobo Argus is being used by many DeFi asset management teams and individual DeFi Whales, not only improving DeFi efficiency but also enhancing asset security. Recently, projects such as Solv and izumi have also used Cobo Argus as the underlying decentralized and security tool. In the future, Cobo will continue to innovate to protect ordinary users and builders in the industry and promote industry innovation and progress.

Lastly, DeFi still has infinite potential in the long run. However, mining in the DeFi world can never avoid potential risks. We hope everyone will participate with caution. “If a worker wishes to do his work well, he must first sharpen his tools.” DeFi miners should be vigilant, accumulate experience, and make good use of tools to effectively respond to different risks.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!