Curve has experienced a series of liquidation crises, should we still have some expectations?

Curve's liquidation crises raise doubts about our expectations.

Author: Climber, LianGuai

On July 30th, a serious vulnerability was discovered in a partial version of the smart contract programming language Vyper, leading to attacks on several important projects including Curve Finance. According to PeckShield statistics, the cumulative losses from this attack have exceeded $52 million.

Among them, Curve Finance TVL dropped from $3.266 billion to $1.789 billion, a decrease of about 45%, almost halving. However, what is particularly alarming is that after the attack, the instantaneous price of CRV on the chain almost dropped to zero. If Chainlink had not failed to update the lowest price in time, the CRV collateralized debt positions on multiple lending protocols would have faced liquidation risks.

In response to this shocking incident, several top-ranked Korean exchanges have issued warnings to investors to be cautious about the value of CRV, and some have even suspended CRV deposit and withdrawal services. However, considering the market price response, some netizens believe that only three or four damaged liquidity pools are affected, so the impact is not significant. Wu Jihan publicly stated that he has bottomed out on CRV and continues to have confidence in Curve Finance.

In the past, Curve Finance has experienced multiple liquidation crises, and this one is particularly dangerous. So how much trustworthiness does this DeFi blue-chip project still have that investors can look forward to?

Drawbacks

1. Three liquidation crises

Affected by this attack, the trading price of CRV on multiple DEXs has experienced significant fluctuations, with the instantaneous price of the CRV/WETH trading pair on Uniswap dropping to around $0.08 at one point.

CRV has collateralized debt positions on multiple lending protocols, especially Curve founder Michael Egorov, who has collateralized a total of 292 million CRV tokens (equivalent to $181 million) on Aave, FRAXlend, Abracadabr, and Inverse, and borrowed $110 million. The comprehensive liquidation price is around $0.4.

If Chainlink were to report a price of $0.08, these collateral positions would undoubtedly be liquidated. What’s more serious is that if FUD sentiment spreads, the DeFi world will face catastrophic consequences.

A similar liquidation crisis happened last month when dForce founder Mindao stated that the Curve founder had deposited more than 33% of the circulating supply of CRV tokens on Aave but borrowed $71 million stablecoins, which posed significant risks.

In the following days, there was a slight deviation in the USDT in the Curve 3pool, with the USDT slippage ratio exceeding 74%.

In response, the Curve Finance founder had to repay the tokens multiple times to reduce liquidation risks. The largest repayment was when their associated wallet deposited 38 million Curve DAO tokens (equivalent to $24 million) into the decentralized lending platform Aave.

In November last year, CRV was heavily shorted by whales, and the price dropped to around $0.4. It was only through the Curve founder’s addition of 20 million CRV to AAVE and the release of the CrvUSD stablecoin whitepaper that CRV was able to avoid significant liquidation.

2. Frequent Liquidity Pool Skew

2023:

On June 15th, due to the sale of 205 million USDT in the Curve 3pool, the proportion of USDT reached 74.35% (301,753,409 tokens), and a slight deviation from the peg occurred.

2022:

On November 10th, the proportion of USDT in the Curve 3pool reached 80.43% (742,416,062 tokens), while the proportions of DAI and USDC were 9.79% and 9.77% respectively.

On November 13th, the USDD/3CRV pair in Curve experienced severe skew, with USDD accounting for 81.76% (32,679,832 tokens); DAl accounting for 2.99% (1,196,988 tokens); USDC accounting for 3.00% (1,200,247 tokens); and USDT accounting for 12.23% (4,891,589 tokens). The exchange rate between USDD and USDC was 1:0.981282.

On August 26th, the exchange rate between rETH and ETH on Curve dropped to 1:0.7917, resulting in a significant skew in the liquidity pool, with rETH accounting for 81.54%.

Similar phenomena have occurred in multiple instances on Curve.

3. Dependency on Vyper Language and Lack of Audits in Ecological Projects

Multiple liquidity pools on Curve Finance use Vyper language to write smart contracts. According to the analysis of the affected contracts by security company Ancilia, 136 contracts use Vyper 0.2.15 with reentrancy protection, 98 contracts use Vyper 0.2.15 version, and 226 contracts use Vyper 0.2.16 and Vyper 0.3.0.

Due to Vyper’s small codebase, it is easier to read and there are fewer changes in its history for analysis. Therefore, when the compiler undergoes significant and frequent changes, it becomes difficult to synchronize the auditing work.

On July 21st and July 25th, the Curve ecological liquidity platform Conic Finance suffered two hacker attacks and incurred a loss of $4 million due to smart contracts exceeding the audit scope.

4. Short Selling Rumors and Lawsuits

On June 9th, LianGuairaFi, Framework Ventures, and 1kx, three crypto venture capital firms, jointly sued Curve founder Michael Egorov for fraud and misappropriation of trade secrets, resulting in economic losses for the VC.

Then on June 12th, dForce founder Mindao mentioned the significant risk of Curve founder mortgaging a large amount of CRV to borrow stablecoins, and also mentioned that mortgaging their own tokens for leverage may seem like reluctant selling but is actually a kind of lure for short selling.

Similar incidents of short selling events and rumors involving Curve are also common in online communities.

Bonus Points

Curve Finance was founded by Michael Egorov and launched in January 2020. It aims to provide a decentralized exchange (DEX) built on an automated market maker (AMM) architecture, primarily focusing on stablecoins (USDT, USDC, DAI), synthetic assets/derivatives/pegged assets (wBTC, renBTC, stETH), etc. In addition to Ethereum as the main business stronghold, it has also been deployed on multiple chains.

Despite the severe damage caused by this attack, Curve Finance still ranks second in DEX.

Evaluating a project’s quality only requires comparing it with the industry leader. Compared to the DEX leader Uniswap, Curve Finance has the following advantages:

1. Efficiency and slippage

Curve focuses more on stablecoin exchanges, so the cost is lower. With Curve’s mechanism and collaboration with project parties, there are more types of stablecoins and synthetic assets that can be added to Curve’s liquidity pools. Most stablecoin trading pairs can be directly traded on Curve.

In addition, by limiting the pools and the types of assets in each pool, Curve is less affected by price fluctuations of volatile assets, minimizing impermanent loss.

2. Synthetic assets

Thanks to good partnerships with various project parties, Curve has good returns on sETH and renBTC.

Similarly, due to sufficient liquidity/LP incentives, Curve has gained support from Ethereum 2.0 staking protocol Lido and became a semi-official stETH pool.

3. Protocol revenue

All token exchange fees in Curve are unified at 0.04%, and deposit/withdrawal fees range from 0% to 0.02%. However, half of the Curve protocol revenue will be distributed to CRV token stakers.

This proportional distribution of protocol revenue will undoubtedly bring more users and LP to Curve.

4. Ecosystem quantity

Uniswap has few complementary projects, while Curve has a large number of ecosystem projects, roughly divided into core ecosystem projects, ecosystem projects, collaboration projects, and user projects.

These projects can provide direct protocol revenue to Curve, namely liquidity acquisition fees; optimize or assist the core business of Curve, the liquidity market, in liquidity fundraising or liquidity acquisition; absorb and increase the lock-up of CRV (or CVX) to avoid CRV flowing into the secondary market.

Conclusion

As Vyper contributor @fubuloubu pointed out, it takes several weeks to months to find vulnerabilities in this attack, so a bounty program is needed to help improve Vyper. However, the outdated version of Vyper still needs to be upgraded or migrated to provide higher security.

Regarding this attack, it did not deal a fatal blow to Curve Finance, and there is no talk of the end of DeFi. Similarly, the crypto market is still a dark forest, and whether optimistic or bearish on Curve Finance, one must remain cautious and rational.