The worst-case consequences of last month’s Curve exchange hack seem to have been avoided – thanks to a series of side deals cut between the project’s debt-strapped founder and a handful of key crypto players.
But the events still served as an indictment of the prevailing decentralized finance (DeFi) narrative since last year’s collapse of Sam Bankman-Fried’s FTX crypto exchange – that centralized platforms are susceptible to greed and poor risk management while decentralized platforms keep chugging along. It turns out that DeFi is susceptible too.
Curve, a crucial decentralized exchange on Ethereum, was hacked last month for over $70 million. The price of CRV, the exchange’s native token, dropped by more than 20% in the immediate aftermath of the exploit.
The event fueled fears around the security and viability of Curve – widely considered a “blue chip” crypto exchange in a crowd of less reputable competitors. The hack also drew attention to a risky lending position from Curve’s founder, Michael Egorov, who put up 33% of the supply of CRV to bank personal loans. If CRV dropped low enough in price, that collateral could have been automatically liquidated by DeFi lending platforms and then dumped onto the open market – tanking a systemically-important DeFi asset’s price.
Curve offered its exploiter a 10% bounty in exchange for returned funds, and the platform has managed to recover nearly 75% of the assets lost to the attack. The price of CRV has also rebounded slightly in the past week as the Curve founder has paid down some of his loans – meaning his massive CRV bags are at lower risk of getting liquidated than they were immediately following the hack.
But the Curve fiasco was still a reckoning for one of the largest crypto exchange platforms and held warning signs for DeFi in general.
First, what is Curve?
Launched in 2020, Curve is a decentralized exchange (DEX) on Ethereum.
At a high level, the platform works similarly to DEXs like Uniswap, allowing people to swap between cryptocurrencies without the need for intermediaries. As with many other DEXs, anyone can deposit crypto into a Curve “pool” – a basket of various cryptocurrencies. The pools are used by other traders to exchange between tokens, with token prices set by the ratio of different assets within a given pool. Pool depositors – so-called “liquidity providers” – earn a portion of the trading fees.
In contrast to Uniswap and most other exchanges, Curve’s features are designed specifically for trading stablecoins and other like-kind assets – digital tokens tied to the price of some other asset. During the DeFi bull run of 2020-21, Curve was at one point the largest DEX by trading volume – amassing more than $20 billion worth of liquidity at its peak.
Why was CRV so important?
In addition to its focus on like-kind assets, the primary feature that allowed Curve to flourish during the last crypto bull run was the platform’s CRV-based incentive structure.
Curve incentivizes liquidity providers to deposit into its pools by rewarding them with CRV tokens atop the regular interest generated from trading fees. The platform offers further rewards to those users who are willing to lock up their CRV in exchange for veCRV – another type of reward. CRV can be locked up for years at a time – the longer the lockup, the bigger the veCRV rewards.
veCRV doubles as votes in the Curve system, meaning it can be used to influence how Curve distributes rewards to different pools. The pursuit of veCRV led to the “Curve Wars” – where people competed to amass veCRV tokens to direct the flow of rewards to their preferred pools.
The Curve Wars made CRV and veCRV systemically important within the broader DeFi ecosystem. The tokens were used widely in lending and borrowing, they were collected by crypto protocols looking to drive liquidity to their own Curve pools, and they powered a variety of offshoot platforms, like Convex, built specifically to capitalize on Curve’s reward system.
Beware the incentive game
Curve’s dominance has faded in recent months as the bear market has eaten into the price of CRV – allowing newer competitors, like Uniswap V3, to seize some of the platform’s market share. According to DefiLlama, Curve currently boasts $2.4 billion in deposits, or just a tenth of the peak of $24 billion in 2022.
The CRV price has likewise decreased to 60 cents, down from around $6 at its 2022 peak, and down 20% since last month’s hack.
“I think Curve will have issues now as a result of people second-guessing the Curve token,” said Sid Powell, CEO of Maple Finance, a blockchain-based credit marketplace that offers DeFi services to institutions and accredited investors.
The long-term viability of Curve’s CRV reward program – a vestige of DeFi’s early days, where money-printing machines in the form of token issuances were the go-to model for attracting users – seems less certain now, in light of the CRV price declines. Powell called the system “ponzinomics.”
“It is kind of like a melting iceberg scenario, where they have to find some way to add or recreate utility for CRV,” said Powell. “Otherwise, there would be no point in having it,” since the rewards for using Curve without CRV – the interest generated purely from trading fees – is a pittance relative to what users get from CRV bonuses.
“I’m watching what that second-order effect is for Curve TVL [total value locked] and the number of protocols that are kind of built on Curve TVL,” he added. “If the CRV token rewards are removed or valueless, what would happen to Convex at that point?”
CoinDesk attempted to consult Curve founder Michael Egorov for this story but was unsuccessful.
“Blue Chip” doesn’t mean fool-proof
Over time, Curve has earned a reputation as a “blue chip” decentralized exchange (DEX) – one of the relatively few safe protocols in a sea of buggy ones. It was relatively simple in its design and, until July, was one of the few big DeFi platforms to avoid any major hacks.
The Curve exploit served as a reminder that scale does not equal security.
Last month’s attack happened as a result of a bug in the compiler for Vyper – a programming language similar to Solidity that allows people to code up smart contracts. The specific vulnerability in Vyper’s code, a so-called re-entrancy attack, allowed a hacker to repeatedly withdraw funds from Curve without the protocol realizing that it had already sent the funds.
While Curve is well-known, Vyper is not. The vulnerability in Vyper drew attention to the myriad avenues by which attackers can theoretically sabotage decentralized systems, and it is possible that the risks will only become greater as the systems powering decentralized systems become more complex.
Decentralized protocols vs. centralized token supply
In the months leading up to July’s exploit, Curve founder Michael Egorov took out around $100 million worth of loans. As collateral, he used around $200 worth of CRV – 33% of all CRV in existence.
If the price of CRV fell low enough, Egorov would have been liquidated – meaning his collateral would have been dumped onto the market. This could have triggered a full collapse of CRV, which is relatively illiquid but remains systemically important to DeFi.
The fact that the founder of “blue chip” decentralized finance protocol was able to amass more than a third of its native token’s supply – and then put it up as collateral to back millions of dollars in loans – should have raised eyebrows, according to experts, due to its potential ramifications for the protocol and for DeFi as a whole.
“I don’t necessarily think it’s a sign of unethical behavior, but it does open up risks – exactly as you’ve seen occur – and the risks are not too hard to predict,” remarked Powell. “If you have a $100 million loan, and you have that on leverage, and it’s against your token, there’s a chance your token could drop in price and you’ll need to liquidate it to cover yourself.”
DeFi doesn’t offer full transparency
Egorov managed to de-risk his lending positions by paying down portions of his loans – decreasing the price at which his CRV would be subject to liquidation. However, Egorov needed to make over-the-counter deals with big-money crypto “whales” like TRON founder Justin Sun in order to finance these payments.
It wasn’t the first time that a big player like Sun has stepped in to prevent a crypto collapse. It was a reminder, after a handful of similar ones, that power in decentralized finance rests with just a handful of actors – a scenario not dissimilar to traditional finance.
As CoinDesk’s Daniel Kuhn argued in a deftly-written column last week, “the spirit that propelled DeFi forward, the dream of disintermediating money from power and providing easy access to basic and complex financial products without fear or favor is dead.”
It’s true, as Adam Blumberg pointed out in a response to Kuhn’s column, that blockchain technology enabled minute-by-minute visibility into the health of Egorov’s lending positions – transparency that’s only possible in the world of decentralized finance, where transactions and wallet addresses are all publicly viewable. However, the full influence of big actors like Justin Sun remains opaque – and it will only become more so as whales become more sophisticated with how they obfuscate the scale of their holdings.
“On-chain transactions do not represent the asset exposure that the underlying trader necessarily has,” said Sacha Ghebali, a strategy analyst at crypto analytics firm The TIE.
“It’s no different from traditional financial markets,” he continued. “At some point there is a limit in terms of how much transparency these systems manage to carry, even when you get the impression of transparency.”