Notes 8/1: Hack at Curve Finance, Bitcoin Price

That crypto is a house of cards with worthless tokens is an open secret. It is, to quote Bloomberg columnist Matt Levine, a toy system. But it makes for a good academic study into how risk and volatility are transmitted across a system.

In the latest instance of this study, decentralized lending platform Curve Finance was hacked over the weekend. Between $20 million to $40 million worth of CRV, the protocol’s native governance token, were drained from the platform by the hacker. CRV underpins trading activities and provides rewards or interest to those who deposit their tokens on its platform. It can also be used on other platforms in DeFi.

A Founder’s Loans

The theft of such a large amount of CRV tokens, even if their value is notional, is already cause for worry; Curve founder Michael Egorov made the situation worse by using the token as collateral for loans. For example, he took out a loan of $5.13 million worth of FRAX stablecoin by pledging 12.5 million CRV as collateral. He has also borrowed $63 million in Tether’s USDT using CRV as collateral at Aave – another lending platform.

Investor fears around Egorov’s actions are centered around margin calls for his loans. According to estimates, a price of $0.37 for CRV will initiate liquidation at Aave and release a significant tranche of the token. The token’s price has been on a roller coaster ride since news of the hack came out. It crashed by 20% to $0.58. Its position has improved to $0.61 as of this writing. While that price is relatively unchanged from yesterday, the token is down by almost 16% on a weekly basis.

Based on statistics from analytics firm Coinanalyze, investors are moving in for the kill. Open interest in CRV-linked perpetual futures has surged to over $124 million since the hack and many are shorting the token.

Reviving CRV

There are frantic efforts to make up for CRV’s lost liquidity. Unfortunately, they rely on a dubious rogue’s gallery from crypto. Unregulated exchange Binance has the highest number of bids for CRV. Tron co-founder Justin Sun, who was charged by regulators for fraud earlier this year, has also lent a helping hand by purchasing $5 million worth of CRV tokens. These two have not engendered trust earlier and it is doubtful that they will do so in the latest drama.

Meanwhile, Egorov has also started another pool at Curve to resuscitate liquidity for the CRV/FRAX market. The new pool has “100,000 in CRV rewards,” writes CoinDesk.

But rewards in Curve depend on exchange volumes and the funding rate at which investors provide liquidity, also known as funding rate, to the pool. The total value locked (TVL) at Curve is down. As is the funding rate.

A Contagion In the Making?

Yesterday morning, Curve tweeted that only five pools, all of them related to ether or its derivatives, were affected. But the hack’s cause points to a bigger story lurking within the exploit. Briefly, the hacker exploited a compiler bug in Curve’s system.

Compilers are foundational to systems programming. In the modular software architecture, they connect algorithms that run applications to assembly languages that formulate instructions, such as those that deal with managing its memory requirements, for hardware.

In practical terms, this means that the entire protocol is at risk, instead of just certain pools. The Vyper smart contract language used at Curve is also used at other protocols, meaning the risk has already been transmitted to other areas of DeFi. This is reflected in the updated estimates of almost $70 million in losses due to the hack.

The Stablecoin Connection

While DeFi boasts of being largely self-contained, it is connected to the mainstream through stablecoins that are traded at centralized exchanges as well. They comprise a large share of the ecosystem’s trading volume.

One of the biggest repositories of stablecoins in DeFi is Tripool or 3pool at Curve. It holdings comprise of Circle’s USDC, Tether’s USDT, and MakerDAO’s DAI.

Earlier this year, it rattled Tether’s peg after investors withdrew the token amid fears about its reserves. The stablecoin released another edition of its reserves yesterday that showed a decline in profit. That bit of news, coupled with fears about the extent of Curve’s problems, could instigate another round of investor panic at the pool. Except this time the effects might be severe, considering crypto’s anemic liquidity and regulatory uncertainty.

Interestingly, a report earlier today mentioned that Curve founder Egorov’s wallet received an infusion of Tether from an anonymous wallet this morning. Whether that deposit relates to problems at the pool is unclear.

A Systemic Risk

Curve’s dependencies and interrelationships, once again, illustrate how similar DeFi’s playbook is to that of the traditional finance system that it aspires to disrupt. Composability enables connections between smart contracts and building of new financial products. It is democratization, albeit with buggy fundamentals, of a sort. But the same feature can lead to the emergence of systemic risks that could threaten survival of other applications within DeFi.

Bitcoin Price

Bitcoin, the frontispiece of crypto, fell below the $29,000 mark, to $28,772, this morning. The decline in its price occurred even after news reports claimed that the Securities and Exchange Commission (SEC) had told Coinbase to delist all tokens except Bitcoin from its platform.

That should have put a further stamp of regulatory approval on the token and enthused investors. As of this writing, it has reverted back to its earlier trading range and is changing hands for $29,255.01.

One thing that might make a difference to its price is its circulating supply. A declining supply corresponds to fewer gains and less volatility in its price. In the last week of July, 5207.485 bitcoin were added to trading markets. During the first week of January, when bitcoin’s price began an upward trajectory, 5888.454 bitcoin were added. If last week’s trends continue, then it does not bode well for bitcoin price.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.