Curve was attacked and its impact on DeFi has only just begun

Author: Bankless, translation: Jinse Finance 0xxz

The EVM compiler Vyper discovered a zero-day vulnerability, DeFi is facing a series of security risks, the fund pool is exhausted, and the threat of liquidation is imminent!

1. Attack route

Vyper just revealed not long ago that its version of the compiler does not properly deploy reentrancy locks. Malicious actors use re-entrancy attacks to repeatedly re-enter contracts, resulting in unauthorized operations or theft of funds.

2**, large-scale attack**

Multiple protocols were attacked and initial estimates as much as $70 million were stolen, some of these funds were held by white hats and MEV bots and are expected to be recovered.

3**, Curve bomb**

Four different fund pools of Curve Finance were attacked. More than $45 million in liquidity has flowed out from Alchemix, MetronomeDAO, and JPEG'd factory pools, and nearly $25 million has flowed out from CRV/ETH pools. Other pools on Curve have not been affected at this time.

4*********************************************************************************

Centralized exchanges show that CRV bottomed out at $0.583, but the token has touched a low of $0.109 on-chain. After the CRV/ETH pool was hacked, the CRV liquidity on the chain became extremely thin, resulting in price fluctuations on the chain.

5. Waiting

Despite Brutal CRV Selloff, Hackers Still Gain! If the stolen funds are not recovered, it will result in a sale of CRV, which could have serious implications for the lending protocol! The wallet below still has 7 million CRV ($4.5 million).

6. Loan warning

Curve founder Michael Egorov has used CRV to secure numerous loans on various lending protocols, the largest of which was on Aave. If the CRV price reaches the liquidation threshold, the protocol will be forced to liquidate the CRV position.

7**, loan repayment craze**

To avoid being liquidated when CRV sells, Michael Egorov has been paying back the loan. Michael Egorov's Aave loan has a new liquidation threshold of $0.37 per CRV after repayment efforts.

8. Early Warning

It was known that there was not enough liquidity on-chain to liquidate Michael Egorov's position. Last month, Gauntlet attempted to freeze Aave's CRV market, but their proposal was unanimously rejected.

9. Dire dilemma

The liquidity of Curve's CRV/ETH pool has been exhausted! CRV is even less liquid than it was when the Gauntlet was proposed. Bad debt seems inevitable if positions are liquidated.

10**, DeFi overflow**

Lending agreements with bad debts must draw on insurance funds. For example, Aave will sell Aave tokens from its security module to cover the shortfall, but this will reduce the value of the remaining collateral...

11、Liquidity impact

Due to the wide volatility and the unknowns that remain, many are recommending withdrawing liquidity from Curve at this time. As liquidity continues to be withdrawn from Curve and other on-chain DEXs, prices will become increasingly volatile.

12, lender withdraws

Lenders are racing to withdraw funds from money market agreements. Aave’s USDT pool utilization rate exceeded 50%, and the borrowing rate soared to 91%, which put tremendous pressure on Michael Egorov’s position: if the interest rate does not drop, it will be liquidated within a few days.

13、Conclusion

While the damaging impact on Curve pools may be over, the potential impact of this DeFi attack may have just begun...

Lending agreements in the CRV market could also be at serious risk of bad debt, if not insolvency.