The Curve hack: The DeFi drama that just keeps on giving

A version of this story appeared in our The Decentralised newsletter. If you want to read this or our other newsletters before your friends do, don’t hesitate to sign up.

Hey everyone, Tim here, and welcome back to The Decentralised, getting you up to speed on the biggest DeFi news of the past seven days.

There’s really only been one big story this week — the aftermath of last weekend’s Curve Finance exploits that saw hackers swipe $61 million from multiple trading pools.

First off, the good news: hackers who exploited the alETH and pETH pools have returned a combined $32 million in stolen funds after Curve put out an ultimatum on August 3.

The protocol agreed not to pursue legal action against the hackers if they returned 90% of the stolen funds before August 6.

However, the CRV-ETH pool exploiter, who currently holds around $18 million worth of CRV tokens, did not return the funds by the deadline.

In response, Curve has put out a $1.85 million bounty on the hacker, claimable by anyone who “is able to identify the exploiter in a way that leads to a conviction in the courts.”

We’ll be keeping a close eye on the situation to see if any crypto sleuths can identify the hacker holdout.

Early last week, Aleks Gilbert reported on criticism received by crypto security firm BlockSec following the Curve exploits. BlockSec tweeted out details about the exploits as they were still ongoing.

The firm says it was warning users to help them withdraw money before another hacker could strike, while critics argue BlockSec’s tweet drew unnecessary attention to the hack.

Check out the full story, and find out what Curve founder Michael Egorov thought of the whole debacle, here.

The situation with the CRV-ETH pool hacker is concerning not just because of the millions of dollars worth of crypto stolen.

Following the exploit, the hacker now holds a huge chunk of CRV, and any attempt to sell the tokens could crash their price and threaten to liquidate Egorov’s DeFi loans.

Egorov didn’t wait to see whether or not the hacker was going to return the stolen CRV before taking action, though.

On August 1, he began selling off chunks of CRV in over-the-counter deals to anyone willing to take them.

So far, he’s sold $46 million worth to various parties including Tron founder Justin Sun, liquidity provider Wintermute, and several DeFi whales.

He then used the proceeds to pay off parts of his loans and lower their liquidation threshold.

On July 31, Egorov’s Aave loan was at risk of liquidation if CRV dropped below $0.36 per token.

Now that figure’s dropped to $0.28 after he provided additional collateral.

However, with Egorov’s loans continuing to accrue interest, he’ll need to find a more permanent solution to his financial situation before he — and those entangled in his loans — can rest easy.

And Egorov’s loans aren’t the only thing weighing on the minds of Aave DAO members, the collective of token holders who govern the lending protocol.

As Osato Avan-Nomayo reported, a dispute currently rages between Aave DAO delegate Marc Zeller and DeFi management company Llama, which provides treasury management for the DAO.

Zeller’s proposal seeks to cancel Aave DAO’s contract with Llama, accusing the company of overcharging for its services and underdelivering on targets.

Llama rejected Zeller’s characterisation of its work and said he “misrepresents facts.” Read the full story here to get all the intricate details and learn about how Aave token holders are voting on Zeller’s proposal.

Data of the week

Amid the situation with Egorov’s precarious CRV-backed loan and all the Zeller-Llama drama, Aave v2 recorded its highest weekly revenue ever at $2.66 million. The spike was likely caused by programmatic increases in loan interest as users withdrew money to avoid bad debt from a possible Egorov liquidation.

This week in DeFi governance

TEMP CHECK: Should Aave raise the slashing percentage on staked AAVE tokens?

AAVE holders can earn over 6% staking their tokens in the protocol’s safety module.

The risk? Stakers stand to lose 30% if the protocol encounters a shortfall event such as accruing bad debt.

Xenophon Labs thinks this deal favours AAVE stakers a bit too much, and wants to increase the slashing percentage to 60%, and then potentially 100% to make things safer for the lending protocol.

PROPOSAL: Lido to cover expenses by selling stETH for DAI

Steakhouse Financial, Lido’s financial workstream provider, wants to convert stETH to DAI at regular intervals to to secure enough stablecoin working capital to pay contributors.

PROPOSAL: Frax to onboard FinresPBC to hold real-world assets

Frax needs a way to hold cash and other cash-equivalent assets for its v3 real-world asset strategies. To accomplish this CEO Sam Kazemian has helped set up FinresPBC, a public benefit corporation, to hold these assets on Frax’s behalf.

Tweet of the week

Euler CEO Michael Bentley captures the current mood toward lending protocols using the classic “Chad vs Virgin” meme. Egorov’s CRV-backed loan has exposed the difficulty lenders face trying to balance incentives and stay safe in the DeFi wild west.

On the other hand, automated market makers — for example, Uniswap — appear impervious by comparison, and don’t need to worry about the finer details which have wrought chaos at lending protocols.

What we’re watching for next week

A wallet, which some believe belongs to Tron founder Justin Sun, has withdrawn $200 million USDT from Tron-based lending protocol JustLend and deposited it to centralised exchange Huobi.

This comes after reports of arrested Huobi executives and rumors that the exchange is insolvent circulated earlier this week.

A Huobi spokesperson told journalists at CoinDesk that such rumors are false, and that the $200 million it received wasn’t from Sun. Still, users withdrew over $600 million from the exchange over the past month.

Do you have a tip-off, a question or an opinion about DeFi? Email me: tim@dlnews.com.