The Curve exploit, and the fear of a DeFi contagion took a toll on investor sentiment over the past week. In a quick turn of events, the hacker returned around 70% of the $62M they stole from one of the industry’s largest decentralized exchanges, exploiting code vulnerabilities in the programming language used by Curve. While Bitcoin and Ethereum fell by 0.19% and 1.63%, respectively, over the past week, the biggest gainer was indeed Curve (+7.57%) on the back of the returned funds. While it hasn’t fully recovered yet, a 25.47% jump in total value locked indicates that most stolen funds are back and haven’t been moved off-chain.
Figure 1: Weekly Price and TVL Developments of Cryptoassets in Major Sectors
Source: 21Shares, CoinGecko, DeFi Llama. Close data as of August 7, 2023.
3 Things to Remember in Markets this Week:
Arbitrum Decentralizes its Validation Technology
Arbitrum, a leading scaling solution for Ethereum, has introduced Bounded Liquidity Delay (BOLD) software. BOLD decentralizes validation by enabling anyone to submit fraud proofs, contest transaction validity, and enhance dispute resolution. While Optimistic Rollup scaling solutions, like Arbitrum, introduce a 7-day validation challenge delay, they remain susceptible to flooding attacks due to the previous model's central validator. A flaw that could sometimes lead to prolonged withdrawal delays is why BOLD significantly advances Ethereum's scaling decentralization as it finally sets a fixed, not probable, upper bound of seven days on the time taken to contest transactions. Finally, Arbitrum recorded the most newly deployed contracts on the day of launch. Thus, we’ll closely monitor the true impact on Arbitrum’s ecosystem growth and its influence on similarly-designed scaling solutions.
The issuer behind the US-denominated stablecoin has become the 11th largest holder of Bitcoin. Following their announced plans to convert surplus profits into BTC, Tether has accumulated 55K units of Bitcoin, amounting to ~$1.6B in market value. Per its latest attestation report published last week, the company’s excess reserves increased by ~$800M over Q2, bringing the total to $3.3B. This is a significant development to watch closely, given that Tether's decision boosts Bitcoin's demand for corporate treasury management.
Conversely, Tether should convert surplus BTC and treasury profits into cash to fortify the company's resilience against unforeseen challenges and furnish the necessary capital for swift deployment in potential bank run scenarios especially as their current cash reserves were significantly reduced to $90 million from $5.3 billion in December 2022, which is not preferable for a stablecoin with a $85B market cap, despite their access to several other liquid instruments like US treasuries, REPOs, and money market funds. Finally, although the address hasn’t been personally confirmed by Tether, the wallet holdings do match the quarterly holdings of the issuer.
On July 24, OpenAI’s CEO Sam Altman launched Worldcoin, a decentralized identity verification solution built on Optimism that requires users to scan their irises to obtain an online ID.
Worldcoin’s motive bodes well at first glance. However, collecting biometric data from the masses has been scrutinized by the community, especially since they started with users from developing countries like Kenya. Though, the country’s privacy regulations allow the data collection practices adopted by Worldcoin, which was how the company collected an undisclosed number of iris scans from Kenya out of the over 2.2M collected worldwide. On August 2, the Communications Authority of Kenya published a statement listing five privacy concerns, including questions on the security and storage of the collected biometric data and obtaining data subjects’ consent in return for monetary reward. The authority ordered Worldcoin to cease its data collection practices until further notice.
In France, the privacy authority told the media that it is aware that Worldcoin collected biometric data and has initiated investigations into the matter. Many other countries from the developed world, including UK and Germany, are closely monitoring the project; some have even been investigating it since November 2022. Despite the regulatory push-back, Worldcoin’s adoption is still on the rise, as shown below. Altman still hopes to work with regulators to expand Worldcoin’s services to governments and companies while reassuring that the data collected is preserved by a zero-knowledge (ZK) proof verification mechanism.
More TradFi Web2 Players Are Entering the Stablecoin Space
Paypal partnered with stablecoin issuer Paxos to launch their USD-pegged stablecoin, PYUSD, built on Ethereum and fully backed by U.S. dollar deposits, short-term U.S. treasuries, and similar cash equivalents. According to the press release, eligible U.S. customers will be able to pay for their purchases using PYUSD in the same manner that Gnosis Pay announced it would empower European customers to pay for their purchases with Monerium’s euro-pegged stablecoin (EURe) via its Visa card, with a convergence mechanism running in the backend. This trend aims to boost mass adoption by solving two ailing issues stifling the industry by providing users with a familiar user interface while complying with regulations. Moreover, onboarding more traditional players from the second generation of the internet shows the institutional appetite for the stablecoin subsector, whose market cap is valued at $124.5B, with USDT dominating by 67%. More traditional players, especially those with existing tools to their advantage, will likely follow suit, aiming to topple this dominance in their favor. In the grand scheme of things, the more regulated players in the space, the healthier the market.
The Ramification of the Curve Hack
The top stablecoin DEX was exploited, resulting in an initial loss of $62million. The vulnerability, termed a reentrancy attack, stems from an Ethereum programming language named Vyper. This flaw enabled the attacker to repetitively trigger the withdrawal function, bypassing safeguards and ultimately draining all assets from the four impacted pools, leaving them fully depleted. The hacker has since returned 73% of the stolen funds while retaining $18 million tied to CRV/ETH, one of the four affected pools.
Fortunately, the security bug was limited to three specific versions, so the damage was relatively contained. That said, despite the hack not severely impacting the DEX, it calls into question the reliability of DeFi’s risk management practices. For context, Curve’s founder Michael Egorosv, owned close to ~35% of the token’s circulating supply, which he then used to secure several loans on the three largest lending protocols. Thus, even though the hacker didn’t hold a substantial amount of CRV, his selling of the token, under last week’s thin liquidity conditions, would have triggered a chain of liquidations starting with Michael’s $85M loan backed by 168M units of CRV. Although Michael has been increasing his margin over the past week and raising it to ~$57M via selling CRV over the counter to dampen the market impact and help mitigate the contagion, the true market implications of the exploit will still linger.
Figure 6: Total amount of CRV sold via OTC by Curve Founder
Thus, we anticipate lending protocols to reduce the debt ceiling for supplying CRV in order to avoid accruing bad debt in the interim and until the supply of CRV is further diluted. Finally, the broader lending segment could pivot towards a dynamic interest rate model that adjusts automatically to extreme market movement, inspired by Frax’s V2 design, combined with isolated lending markets which confine risk to singular assets.
Our Dune dashboard, along with our researcher Tom Wan’s insights, was mentioned in The Block’s report about Tether. Read here.
Check out our Dune dashboard, tracking Worldcoin’s airdrop and adoption metrics,here.
Top 5 Trends in Crypto: User Experience Improvements, Scaling Solutions, and More. Watch here.
Our latest issue of Cryptoassets of the Month: Find out the biggest gainers of July. Read here.
Next Week’s Calendar
These are the top 3 events we're monitoring for next week.
August 9th: Coinbase’s scaling solution, Base, goes live on Mainnet
August 10th: Next US CPI print
August 13th: Next deadline for SEC on ARK Spot ETF