The DeFi Dilemma: Can it Fulfil its Promise?
Last week DeFi faced another crisis, this time it was with one of the stalwarts of the ecosystem, Curve Finance. Curve is a leading decentralized exchange, popular with many DeFi users for its liquidity pools which enable depositors to earn a yield on a number of popular tokens. This includes Bitcoin, Ether, and staked Ether tokens such as stETH and RETH. Also stablecoins such as USDC and USDT.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
— Curve Finance (@CurveFinance) July 30, 2023
Other pools are safe. https://t.co/eWy2d3cDDj
What has made Curve so popular is that in addition to earning a yield on their deposits, liquidity providers can boost their earnings significantly through Curve's governance token, CRV.
For instance, Curve's most popular pool, 3pool consists of DAI, USDC and USDT. The base APY on the pool is 0.85%, however, this can be boosted from 0.94% to 2.35% in CRV rewards by locking up their CRV tokens.
You can further boost your return via Convex Finance and earn additional returns via their CVX token.
The Curve Exploit
Last week Curve announced that there had been a reentrancy exploit on some of their pools. It was caused by a bug with an old version of the Vyper compiler. This bug allowed attackers to drain certain Curve pools. A total of approximately $62m was extracted.
Like Solidity, Vyper is a smart contract development language for Ethereum. Vyper is the second most popular smart contract language after Solidity and is based on the widely used Python programming language. However, it is responsible for securing under $3bn of the TVL in DeFi against over $66bn with Solidity.
It's only when the Tide goes out you learn who's been Swimming Naked
The Vyper bug wasn't the only issue. Curve's Founder, Michael Egorov had pledged 34% of CRV's total market cap across a number of DeFi protocols.
This meant that if CRV's token started plummeting below a certain threshold the CRV collateral would start flooding the market in order to liquidate the position.
In order to sure up Curve, Justin Sun, founder of the Tron blockchain then stepped in with others to purchase CRV to help stabilise prices.
As Ryan of Bankless pointed out, the potential CRV selling pressure was plain and simple, leverage going wrong.
Founder of Curve borrowed over $100m in stablecoins on various DeFi lending protocols using his CRV as collateral.
— RYAN SΞAN ADAMS - rsa.eth (@RyanSAdams) July 31, 2023
Probably spent some (all?) $100m on IRL stuff like mansions.
Why'd he borrow against his CRV rather than sell it?
Idk, maybe to avoid tax gains and to avoid… pic.twitter.com/DwPyvy9SOa
But people really should be paying attention to who holds the tokens associated with the DeFi protocols they are using. And what these holders are doing with them.
The net effect is that Curve appears to have survived this time around, but it does highlight clear issues still facing the DeFi ecosystem.
Managing software vulnerabilities
Developers face an endless game of cat and mouse with malicious hackers trying to find vulnerabilities and exploit their code. In the past, this was constrained to corporate systems that sat behind firewalls which often required social engineering or lax security practices to get into.
Public blockchains changed this. In creating decentralized applications, huge honeypots of cryptocurrencies were created for attackers to focus their energies on. Why jump through all of the hoops to exploit institutions, when you have hundreds of millions of dollars available on public blockchain networks?
Anyone who has spent significant time working as or with developers will appreciate just how time-consuming development is. No code is ever perfect or complete. There are always ways in which it can be improved or optimised.
Heartbleed
This includes the identification of vulnerabilities which can often lay dormant for years before being discovered. The Heartbleed OpenSSL vulnerability of 2014 is one such example, which was caused by a change made in 2012 to the code base.
It's estimated that 17% of the webs secure web servers were exposed to the vulnerability when it was detected. The exploit enabled an attacker to retrieve encryption keys on servers and impersonate others accessing them.
Parity Multi-sig
Back in 2017, we also saw Parity Technologies' multi-sig wallet exploited to the tune of 153,037 Ether ($290,770,300 in today's prices). This was caused by a vulnerability in a library dependency. In the years since there have been countless further exploits.
It will never be possible to eliminate errors in code. Even with AI techniques, the underlying large language models (LLMs) are trained on code that has been created by fallible humans.
Can we ever reach a point where decentralized finance can truly fulfil its potential?
I do see areas of the ecosystem in which I have great confidence, such as Circle's USDC. However, they control token issuance and are very transparent in how they operate as a business, including providing audited reports of their reserves.
Also with base network protocols themselves such as Ethereum. While I don't envisage any events on the horizon that could threaten the solvency of Ether or the security of the entire Ethereum network, there are ways to recover from major events as the DAO hack once demonstrated (although few in the Ethereum community would be supportive of this level of meddling again).
Stacking DeFi
Where I believe the problem lies is in the ability to stack app upon app and create complex positions spread across multiple DeFi apps. This is where someone deposits tokens with Curve, deposits the CRV into Convex for a yield boost and may further lock up their CVX tokens. Curve may be one of the stalwarts of DeFi. However, with each additional DeFi protocol used the risk to users increases significantly.
Within each DeFi protocol, there will be a small number of developers who truly understand how their smart contracts work. When you combine a number of protocols together, that number becomes even smaller.
This means that a very small proportion of users will have any idea of how safe their funds really are, and instead is simply chasing the advertised yields.
Teams do take measures such as engaging auditors to help verify their contract source code. But are those auditors re-engaged with every change? Are those auditors constantly monitoring all dependencies for updates or vulnerabilities? Even if they are, some exploits will still slip through.
Protecting Mainstream Users
I believe that for DeFi applications to go mainstream we will need greater protection for users. This could be in the form of institutions that have enough capital to make good for their users in the event of exploits. Or simply insurance for them.
Perhaps centralized exchanges will end up being the gateway that many use? Seeing how Coinbase's Base network evolves in this regard will be very interesting, as they will have the ability to provide backstops in the network.
It is incredible the amount of value that has become locked in the DeFi ecosystem during the past few years. However, from a personal perspective, I still don't feel comfortable putting any meaningful amount of funds into DeFi protocols unless I can monitor what I'm doing with them around the clock.
I have fewer concerns with stablecoins such as USDC and Ether, as there's far more transparency with how they operate, which doesn't require digging through smart contract code.
Without some breakthroughs in how user funds can be protected, I do think that many DeFi protocols will remain niche applications for those users who really understand what they're doing. Especially now as you can deposit funds with normal banks for 4-5% yields which come with government guarantees.
The risk tied with DeFi simply isn't worth it. I remain as ardent a supporter of blockchain and web3 as I ever have. But parts of DeFi still feel like high-stakes games of poker, and I'm no gambler.