A hacker who stole over $160 million from trading firm Wintermute has become the largest liquidity provider in a Curve Finance trading pool after depositing the funds there last year.
The hacker’s stolen funds now account for 28% of the $409 million backing Curve’s 3pool, a popular decentralised trading pool that lets users swap between stablecoins Tether, Circle’s USDC, and MakerDAO’s DAI.
“All Curve pools are absolutely permissionless, so no one can stop anyone from depositing,” Michael Egorov, founder of Curve Finance, told DL News.
Launched in 2020, Curve is DeFi’s biggest decentralised exchange, with its contracts holding over $5 billion worth of crypto across 12 different blockchains.
Curve lets users trade crypto assets without intermediaries like a centralised exchange. Users buy and sell crypto assets through liquidity pools, where they can also act as liquidity providers by depositing assets into them. Liquidity providers earn a small fee every time someone uses the pool to swap tokens.
Curve’s protocol design — like most other DeFi protocols that run on liquidity pools — means that traders who use trading pools pay fees to the pool’s liquidity providers. In the case of 3pool, this means fees are being automatically distributed to the hacker, contributing to the growth of their position.
But since Curve is immutable, meaning that its code cannot be changed once deployed on the Ethereum blockchain, its creators have no control over who interacts with it or provides liquidity.
“Whether someone likes this or not, immutable protocols are neutral by design,” pcaversaccio, a pseudonymous crypto security researcher, told DL News. Pcaversaccio said that he believes protocols should maintain neutrality despite unfavourable situations such as the Wintermute hacker becoming the largest liquidity provider in 3pool.
“Protocols should be apolitical and neutral. Otherwise they will become permissioned and thus not censorship-resistant anymore,” he said.
Egorov also added that one silver lining of the situation is that due to the transparent nature of blockchain transactions, the hacker won’t easily be able to hide the stolen funds and that they will always be trackable.
Although many DeFi protocols employ immutable contracts to maintain neutrality, provide trust, and bolster security, not all protocols follow this approach. In February, Oasis, a frontend for the lending protocol Maker, came under fire after a UK court ordered it to update its code to take back $140 million stolen during a hack a year prior.
Oasis recovered the stolen funds, but the incident threw into question some of the founding assumptions of DeFi, namely that all transactions are final and no crypto can ever leave a user’s wallet — or a DeFi protocol — without their permission.
Regulators have mostly avoided the topic of DeFi and the implications of immutable code, but some are starting to take notice.
Earlier this month, the US Securities and Exchange Commission cited Curve as an example of a DeFi protocol where the “responsibility for the system could not be attributed to the persons who created or deployed the smart contract.”
Wait until they figure that even governance cannot rug/upgrade the code of which holds funds— Curve Finance (@CurveFinance) April 15, 2023
The commission suggested that holders of governance tokens of immutable protocols like Curve would need to pay Ethereum validators to fork the blockchain to change the immutable code and ensure compliance with SEC rules — even though it may be highly costly and affect unrelated entities also on the chain.
And if that doesn’t happen, then the protocol should shut down, suggested the SEC.
“But what if you cannot shut down without shutting down Ethereum?,” Curve’s Twitter account said in reply.
Disclaimer: The two co-founders of DL News were previously core contributors to the Curve protocol.