The Vyper Cuts: How DeFi Came Back From The Brink

An exploit deep in the code had ramifications that rippled up the stack. Here's how those affected fought back and what we can learn from it.

DeFi Dave
DeFi Dave
Aug 3, 2023
The Vyper Cuts: How DeFi Came Back From The Brink

Snakes have a special place in humanity’s collective unconscious. They symbolize transformation, rebirth, immortality, and healing. This week, one can say that DeFi had its own rebirth. A venomous 0-day exploit cut deep into the compiler of the Vyper programming language that would reverberate up the stack and throughout the market, making shorters salivate at the lips.

One of the stalwarts of DeFi, Curve Finance, was front and center throughout the whole episode, putting the protocol to its most challenging test yet. There was no time for virtue signaling, unprecedented action was needed to mitigate potential damage from the exploit at all levels. Battles were fought on-chain between whitehats trying to recover and blackhats attempting to extract millions of dollars worth of liquidity. Meanwhile, steadfast builders like Curve founder Michael Egorov and others dug their feet into the ground and built novel incentive mechanisms that utilized their closest collaborator Frax, which along with some OTC deals with some allies would seemingly save the CRV token from death spiraling.

As with every crisis, protocols are stress-tested under the most adverse conditions. Those who survive gain strength and lindy while those who don’t simply perish. DeFi is no stranger to tens of billions evaporating into thin air as what happened with Terra Luna last year. There are no sacred cows, only codes and incentives. As much as we talk about protocols, they are made up of people. It is in these times of hardship that we see tribes and individuals step up to the plate for all the world to witness and either knock it out of the park or strike out completely.

With the smoke from the fog of war finally clearing, we can contemplate on what happened, why it happened, and what it means for the future of DeFi. Make no mistake, even though the worst is over mostly, some self-reflection is indeed in order.

The (Forgotten) Ghost in the Machine

Vyper is a programming language for EVM that is Pythonic in nature and was launched in 2017. Although less popular than Solidity, Vyper gives EVM more language diversity, essential in avoiding monoculture. I don’t even want to imagine if only one language existed, things would be even more fucked. Anyways, Vyper would most notably be used by Curve in creating and deploying their smart contracts. In fact, as a nod to its importance, last year the Curve community approved having a vender gauge that funded Vyper development.

The vulnerability ultimately came down to incentives around auditing compilers. Compilers are magical software devices that transform computer languages that humans write into code and machines can read. They exist in a part of the stack that is wrongfully assumed to be safe and hence not looked at by auditors who primarily focus on the smart contract level. In addition, because of how it is structured, Vyper is much simpler to read compared to Solidity making it easier to find exploits. In the days after the Vyper hack, multiple calls have been raised by members of the community to create the proper incentives to prevent such an exploit from repeating itself.

Yet, the incentive was clear as day for blackhat hackers who were pushed to hunt deeper into the virtual machine as the potential bounties for vulnerable protocols dried up. For the years the bull market raged on, non-name projects were gaining nine figures and TVL making them juicy targets in the wild. As the opportunities started to become few and far between, sophisticated operators were forced to get creative which eventually led them to go where it is often forgotten, to the c o m p i l e r.

To give a sense of how long this bug went unnoticed, the exploit had been live since 2021 and just by sheer accident, was patched in the latest version of Vyper 0.3.1. Yet, those contracts of liquidity pools that contained native ETH and were written in versions 0.2.15, 0.2.16, and 0.3.0 still went on with their business with an invisible death warrant front and center. It was a Sunday that the first blood was drained and when it was all said and done, $69 million worth of value was exploited. The hardest hit from the attacks were the Curve liquidity pools of JPEG’D, Alchemix, Metronome, and even Curve itself.

When it comes to vulnerabilities, time is of the essence, and privacy is even more so. In the heat of the moment with so much at risk, whitehats banded together to create war rooms to find solutions. Heroes arose such as 0xc0ffeebabe whose efforts and actions would save millions in funds. Unfortunately, not everyone was on the same page. As Otter Sec auditor Robert Chen puts it “Auditors don't pay for externalities created by their reporting. Instead, they get rewarded with likes, retweets, and publicity.” It is here we find yet again incentives rear its head but instead of blackhats scavenging for scraps, its auditors valuing retweets over the retrieval of funds. Yet clout is thin as it is fleeting and those who prioritized it would feel the wrath of shame.

X, the Hypersigil Hive-Mind

Formerly known as Twitter, X is a unique social media platform in how it has positioned itself as a digital public square. Instead of our bodies, we enter it with our thoughts and intentions, being rewarded with dopamine feedback loops that are decided by an almighty algorithm. It is those incentives brought about by the algorithm that leads to behavior that may benefit the individual at the moment but spell drastic consequences down the line. As seen time and time again, Twitter is as much a spiritual device as it is a conduit for information.

Those who dare put themselves front and center feeding their ego with the energy of thousands of lurkers are all too often smitten by the gods. Who could forget Avi’s infamous “What are you going to do, arrest me” or Do Kwon’s “By my hand DAI will die”. The main character trope is one repeated all too often on CT and all too often the mortals who think they are infallible receive the rudest of awakenings.

That’s why it was curious to see Michael who barely tweets at all post a seemingly harmless response to a friend “Still shocked that I haven’t yet been ever affected by DeFi hacks 😅”. As if it was a call for the gods to test him, It was barely a week later that Michael and his baby Curve would face their biggest test yet. Patching the exploits on-chain was only half the battle, the next theater of battle would be in the markets themselves.

Sharks Circling Around CRV

CRV is a governance token that is uniquely intertwined with the Curve protocol. Its importance lies in the action that it incentivizes, deep liquidity. Those who lock their CRV for veCRV can vote on the direction of emissions toward LPs. This pioneering model gave forth to an intricate vote-incentive ecosystem and would help Curve earn the nickname of “The Liquidity Black Hole”.

One of the largest pools affected by the Vyper exploit was the CRV/ETH pair on Curve which was the primary source of liquidity for CRV on-chain. This seemingly spelled trouble for Michael who had much of his own CRV (and a large portion of the supply in various lending protocols such as Fraxlend, AAVE, Abracadabra, and others. If he were to be liquidated, it would send CRV to near zero and put the entire incentive structure Curve built into disarray.

Michael is no stranger to managing lending positions. In fact, according to Curve Cap, Michael has been utilizing on-chain money markets since 2018 having a record of never being liquidated, not even once. It was through interacting with lending protocols that Michael was inspired to build Curve to smoothly swap between stables which would later drive him to deploy crvUSD which offered a softer liquidation mechanic. Now with sharks swimming around his bleeding collateral position, Michael needed to act fast to prevent them from swallowing his CRV position whole, he did what he does best. He built.

Out of all the lending protocols, the one that needed to be prioritized was his Fraxlend position. Michael had a $17 million loan with $24 million worth of collateral and the pair was near 100% utilization. The way Fraxlend is designed is that when the utilization ratio reaches a maximum point, it automatically multiplies the interest rate doubling every 12 hours if at 100%. If left unattended, the pair would reach thousands of percent in APY and surely would have been liquidated.

In an unprecedented move, Michael would create a first-of-its-kind gauge that rewarded CRV to those who LP’d crvUSD with fFRAX for CRV/FRAX (the receipt token for lending FRAX in Fraxlend CRV pair). The goal of this gauge was to incentivize people to lend FRAX to lower the CRV/FRAX utilization rate. As a secondary market for Frax debt, this type of incentivization mechanic could have other interesting use cases in the future (incentivized bond markets, cough cough).

The only thing stronger than rock-solid incentives is rock-solid relationships, alliances that can be relied on even in the most extreme. Support came across crypto from OGs and current leaders alike with even Jihan Wu tweeting that he BTFD. Hours after he released his fFRAX/crvUSD incentive gauge, millions of CRV were sold OTC to the likes of Justin Sun, DCF God, CT2P, unknown anons, and others. Once the news of the sales started becoming public, CRV’s price would recover and millions in shorts would be liquidated. With OTC sales still ongoing, it seems that CRV and Curve will survive another day.

Conclusion

With the most pressing dangers almost behind us pending safely managing lending positions, what can we conclude from such a tumultuous sequence of events? First of all, those who say “DeFi is Dead” are wrong and it’s in fact stronger than ever.

If this type of crisis were to have happened in the opaque world of traditional finance, we probably would not have heard the full details until years later. Since the story was written on-chain with all eyes to see, we were able to dissect what happened one transaction at a time. This unparalleled transparency allowed us to monitor the health of lending protocols and liquidity pools one block at a time and see why certain actions were taken.

We must remember though that although DeFi has allowed the equalization of opportunity and lowered the barrier of entry for people to participate, that does not mean there is equality of outcome. Incentives don’t care about feelings, they care about accruing more value. Whether it’s the monetary value of a hack, the social standing of orchestrating a recovery, motivation in recommending a parameter to a lending protocol, or the economic game theory behind paying back lenders, every single action that transpired over the past week was a result of cold-hard incentives.

If DeFi is to truly reach the levels of TradFi especially as more value becomes at stake, it must wrestle with the reality of an incentive-driven world and build accordingly. This is how Satoshi thought and we must do the same for us to thrive.

More from Flywheel

View More
This Week in Frax - April 12, 2024 thumbnail
This Week in Frax

This Week in Frax - April 12, 2024

Apr 12, 2024Samuel McCulloch
Beefy Finance Deploys on Fraxtal thumbnail
Fraxtal

Beefy Finance Deploys on Fraxtal

Apr 8, 2024Samuel McCulloch

Subscribe and join the Flywheel family

Always Free. Never Spam.

Harness the power of the flywheel.

Not financial advice. Flywheel content is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions.

Flywheel and affiliates are not liable for any investment losses or damages resulting from your reliance on any information provided.

2023 ©️ Flywheelpod Inc. All rights reserved.