Alpha Homora gives final deadline to Iron Bank, Hundred Finance hack update, HAI stablecoin announced, Survey highlights DeFi protocols barely recover from hacks,...
Issue #37 of The State of DeFi Lending newsletter
Welcome to issue #37 of The State of DeFi Lending, a newsletter covering the highlights of lending markets in DeFi.
In this issue we cover:
Alpha Homora’s (AH) tokenholder vote to end negotiations with Iron Bank (IB) which has until 28 Apr, 8am UTC to return the funds to avoid legal action by AH.
Hundred Finance published a post-mortem on the hack and vows to resort to law enforcement to track down the hacker.
New stablecoin HAI is announced: HAI is a RAI fork with 3 major changes: It’s multi-collateral, involves active governance and is launching on Optimism.
Security is of major importance to DeFi protocols. A survey by the Defiant showed that protocols barely recover from hacks and exploits. This should come as no surprise to founders and teams but security is oftentimes neglected.
Read below for more…
Please note: Twitter-links are not displayed as usual. Substack and Twitter are fighting out who has the upper hand in newsletter subscriptions. We hope to revert to the usual format as soon as possible.
News
Alpha Homora’s (AH) stand-off with IronBank (IB) over frozen user deposits still has not been resolved. AH published three more open letters during April appealing to IB to reach a consensual agreement. These talks have broken down with AH giving IB a final ultimatum before starting legal proceedings.
https://twitter.com/Alpha_HomoraV2/status/1650799917479378946?s=20
IB has declined the suggested proposals, highlighting they cannot accept payment over time to be made whole for the financial losses.
https://twitter.com/ibdotxyz/status/1646900619431620610?s=20
In response to that, the AH community voted to give IB a last deadline before starting legal proceedings. This deadline is on 28 April, 8am UTC, thus approaching rapidly.
https://twitter.com/Alpha_HomoraV2/status/1649321362031546368?s=20
So far there has been no response by IB.
As part of AH’s recent vote, there are ongoing discussions to set up a separate fund as a goodwill gesture for depositors since funds are stuck in IB.
Hundred Finance has published a post-mortem to last week’s hack.
https://twitter.com/HundredFinance/status/1649881857389916162?s=20
The Hundred Finance lending protocol was hacked on April 15th, 2023, and the attacker drained assets worth approximately $6.8 million USD from the hToken markets on the Optimism deployment. The exploit was carried out using an integer rounding vulnerability in the hToken contract logic for redeeming underlying tokens, which presents itself when a market is empty.
The attacker withdrew funds from Tornado Cash, transferred them to Optimism, and deposited them into empty hWBTC markets. They then executed the hack by deploying master contracts that carried out the exploit on each deployment, using a sequence of steps involving WBTC flashloans, hWBTC minting and redeeming, and exploiting the rounding error in the redeemUnderlying function.
The issue applies to Compound-forks and is not specific to Hundred Finance: This vulnerability has existed in the Compound v2 code since its launch, despite multiple audits. It can be mitigated by minting small cToken amounts at market creation or deactivating the redeemUnderlying function.
https://twitter.com/HundredFinance/status/1647634154710769664?s=20
In response to the hack, the Hundred Finance team paused markets on all chains, alerted the community, and began tracking the attacker's activities. They also issued a $500k USD open bounty for information leading to the arrest of the hacker and the return of all funds. Law enforcement has been informed and criminal proceedings have been initiated. The team is working to recover the assets and will distribute them to affected users once they are retrieved.
https://twitter.com/HundredFinance/status/1648752607563771905?s=20
Ameen, a RAI cofounder, made the headlines this week by announcing a new stablecoin project called HAI which is a RAI fork with 3 major changes: It’s multi-collateral, involves active governance and is launching on Optimism.
https://twitter.com/ameensol/status/1649097875849355265?s=20
This comes as a direct response to design flaws in RAI, as expressed by Ameen in January this year.
https://twitter.com/ameensol/status/1617582677833699330?s=20&t=7rhsli-xlkzCiG7aZaGLOw
RAI was built on the ethos of decentralized collateral & governance with a certain “ETH-purity”. Ameen’s tweet triggered a public debate about the Pros & Cons of other collateral types by the community and other protocol contributors.
HAI has received some positive feedback from the Crypto community, even attracting praise from Maker co-founder Rune.
https://twitter.com/RuneKek/status/1649100222952357895?s=20
The Defiant published an interesting article highlighting that hacked DeFi protocols rarely recover.
https://twitter.com/DefiantNews/status/1650662165504983045?s=20
The story finds that “a survey of the top five hacks in dollar terms shows that each protocol’s total value locked is down by at least 96% since it was hacked.”
https://twitter.com/DefiantNews/status/1650662187063738368?s=20
This article suggests that security is of paramount importance to protocols and cannot be understated.
Short news & announcements
Angle protocol passed the vote to restore agEUR's peg after Euler's repayment. The community approved the mint & burn of agEUR, allowing people to buy and sell agEUR to the protocol at €1.
Maker Governance approved Coinbase Custody (RWA014) as a new real-world asset vault type to implement the onboarding of up to 500 million USDC from the PSM to the Coinbase USDC Institutional Rewards program
Curve launches gas-optimized Tricrypto contracts (ie three volatile assets in one pool)
NFT Finance digest summarizing recent developments in the NFTfi space