Curve Founder’s borrowing spree
As explained in introduction, Curve Finance is one of a decentralized exchange that specializes in stablecoin and wrapped token swaps. It also has a governance token called CRV that can be staked or used as collateral on various platforms. Michael Egorov, the founder of Curve Finance, has been accumulating CRV tokens since the project started in August 2020 and has been using them to borrow more funds on various DeFi platforms.
He started his borrowing spree in November 2020 when he proposed adding CRV as collateral to Aave V2, one of the leading lending protocols in DeFi. According to Medium, the proposal was approved by the Aave community, and Egorov became the first user on the platform to borrow against CRV. Medium also noted that he had borrowed about $2 million worth of stablecoins with CRV collateral by the end of January 2021. But he didn't stop there, as he continued to expand his lending positions across platforms, including Abracadabra, Fraxlend, Inverse Finance, Silo and others.
Source 1: From Medium
The above chart shows that as of July 2023, Egorov has secured loans worth more than $100 million with collateral of about 430 million CRV, which is almost 50% of the circulating supply of CRV. As mentioned by Medium, his loans were spread over Aave V2 for about $64 million, Abracadabra for about $17 million, Fraxlend for about $9 million, Inverse for about $7 million, and Silo for about $1 million.
However, Egorov's strategy was risky. First, he was over-exposed to CRV price fluctuations, which might affect the value of his collateral and his liquidation risk. Second, he relies on the thin liquidity of CRV on the secondary market, which might make it difficult for him to sell his tokens when needed. Third, he paid high interest rates on some loans, which could eat into his profits or increase his losses.
On July 30, 2023, Curve Finance was hit by a major vulnerability. As a result, several DeFi protocols on Curve Finance were compromised by attackers who stole $62 million worth of cryptocurrency. This attack was related to a vulnerability in Curve's previous liquidity pool (TriCrypto). Hacker exploited the vulnerability to allow users to swap between three tokens, USDT, WBTC and WETH. However, according to the investigation, the root cause of the vulnerability exploit was Vyper, another programming language from Ethereum smart contracts. The vulnerability in Vyper versions 0.2.15, 0.2.16, and 0.3.0 allowed attackers to manipulate reentrant protection and enabled them to execute multiple calls in a single function, tricking smart contracts into calculating incorrect balances.
But the story doesn't end there. Learn about the recovery efforts and the pivotal role played by a white hat hacker in returning stolen assets to Curve Finance. Explore how Curve Finance is enhancing its ecosystem's governance and operational efficiency in the aftermath of these incidents. Download PDF File to Read More.
Total Value Locked is a metric used to measure the total value of digital assets that are locked or staked in a particular decentralized finance (DeFi) platform or distributed appication (DApp). The higher the TVL, the more trustworthy the platform/DApp is perceived to be.
As BinanceFeed reported on July 22, before the vulnerability incident, Curve Finance was in the fourth place in the DefiLlama protocol rankings.
Source 2: From DefiLlama
However, there was a huge change after the vulnerability incident, with Curve Finance dropping out of the top 10 in the DefiLlama protocol rankings. The exploit was not just a series of attacks on Curve Finance, but also a profound lesson in the complexity and vulnerability of the decentralized finance (DeFi) ecosystem. The events of that fateful day and its immediate aftermath have left an indelible mark on the DeFi community.
Source 3: From DefiLlama
Next, it is clear from the chart below shows that a huge price drop occurred between July 31 and August 2, falling by 23% in just three days after the attack.
Following with the Curve Finance's TVL chart, illustrates that its TVL fell sharply from 3.245 billion on 30th of July to the lowest point of 1.68 billion on 1st of August due to the impact of the vulnerability incident.
Despite this, Curve Finance was once expected to be liquidated in this vulnerability incident, but as shown in the chart below, Curve Finance's TVL has recovered to 72.3% before the attack on August 4. Although the price of CRV fell to $0.40 in September, TVL still remained around 2 billion.
Want to discover more? You can download the PDF to read the full story.