Sturdy Finance exploit, GHO ready for launch, CRV tokens backing up $105m in DeFi loans, Silo launches Curve LP borrow markets,...
Issue #44 of The State of DeFi Lending newsletter
Welcome to issue #43 of The State of DeFi Lending, a newsletter covering the highlights of lending markets in DeFi.
In this issue we cover:
Sturdy Finance lost approx 442 ether (~$800k) through a reentrancy vulnerability. All markets were paused and the team is trying to negotiate return of funds for a $100k bounty.
Aave DAO is going through requisite governance to approve the first two GHO Faciliator and deploy on ETH Mainnet. Meanwhile, the community debates if part of the GHO fees should flow to the security fund.
Curve Finance’s founder/CEO Michael Egorov has been on a borrowing spree totalling $105m in loans across Aave, Abracadabra and FraxLend. This could pose a significant risk event in case CRV experiences a sudden price decline as onchain liquidity is limited.
Silo launches lending market for Curve LP tokens which enables depositors to improve capital efficiency. These new markets are launched in isolated market type so that deposits cannot be borrowed.
Read below for more…
News
DeFi lending protocol Sturdy Finance suffers $800,000 exploit in reentrance attack.
Sturdy Finance lost approx 442 ether (~$800k) through a reentrancy vulnerability, leading to the manipulation of a price oracle. The attacker exploited the ability to repeatedly call a function within a single transaction before the original function call was completed. This exploit allowed the attacker to withdraw more funds than they were legitimately entitled to.
Upon gaining control over function calls, the attacker focused on exploiting Sturdy Finance’s price oracle, derived from a separate “read-only” smart contract. The oracle's main function was to accurately determine the market value of assets in a liquidity pool managed by the Sturdy Finance team on Balancer. Yet, its exploitation led to a draining of funds from the protocol, as observed by BlockSec.
The firm attributed the root cause to "the typical Balancer's read-only reentrancy, while the price of B-stETH-STABLE was manipulated."
In response to the attack, Sturdy Finance swiftly suspended all of its markets.
“All markets have been paused; no additional funds are at risk, and no user actions are required at this time”
Post-attack, the on-chain data revealed that the attacker used the Tornado Cash mixer to obscure their activity.
The Sturdy team is currently trying to negotiate with the hacker and are offering a $100k bounty.
Aave’s GHO gears up for launch
Aave is putting in the place the decisive governance steps to launch its stablecoin GHO, using two initial facilitators: the Aave V3 Ethereum Facilitator and the FlashMinter Facilitator.
Following extensive testing on Ethereum's Goerli Testnet community discussion, a proposal of introducing GHO to Ethereum Mainnet has been published. Once approved, GHO will be deployed.
The integration of GHO into the Aave ecosystem could make borrowing stablecoins on the Aave protocol more competitive. Moreover, it could create an additional revenue stream for the Aave DAO by directing 100% of the interest payments made on GHO borrows into the DAO's treasury. The community is already exploring if part of the revenues can be used for the stability fund by splitting the revenues
GHO's launch will also introduce the concept of 'Facilitators'. These entities or protocols can generate (and burn) GHO tokens up to a specified limit. The Aave V3 Ethereum Pool and the FlashMinter have been approved as the initial facilitators during a “temp check” phase by Aave Governance.
The Aave V3 Ethereum Pool Facilitator will enable depositors to borrow GHO against their collateral, which is deposited in the V3 Ethereum Mainnet Pool with the following terms:
Alongside, FlashMinting will allow users to FlashMint GHO and repay in a single transaction, enhancing GHO's peg maintenance ability. The initial bucket capacity for the FlashMinter Facilitator will be 2,000,000 GHO with no fee paid to the facilitators.
Post GHO's successful launch, a multi-chain strategy will be proposed to the community.
CRV tokens used as collateral to borrow $105m across various DeFi lending protocols
Curve has been generating headlines recently as they launched crvUSD and the new gas-optimised tri-crypto pools.
Also, Curve’s founder has made headlines as he’s been buying up prime properties in Australia for $40m.
However, a group of DeFi natives, including BPRO’s very own Yaron Velner, took to Twitter in order to tally up the CRV exposure across DeFi lending markets.
Turns out that one account - held by Curve founder Michael Egorov - is behind this account. What is striking in the large exposure across a number of lending protocols
Aave v2: 290m CRV deposit and $71m borrow (mostly USDT)
Abracadabra: ~80m CRV deposit and ~$20m
FraxLend: 54m CRV deposit and
DEX liquidity for Curve however would not be able to accommodate mass liquidations, if they were ever to occur: $10m in CRV liquidiations would lead to a 20%+ slippage, according to 1inch.
The #1 CEX for CRV - Binance - shows $9m 24hrs volume and a -2% depth of $330k, according to Coingecko.
Michael has been actively monitoring his position and recently topped up the CRV deposit on Aave to improve the health factor.
Gauntlet has kicked off a proposal in the Aave governance forum to freeze CRV and set the LTV to nil on Aave v2.
Silo Finance launches lending market for Curve LP tokens
Silo launches three new isolated lending markets: Users can now borrow against Curve LP tokens while simultaneously farming Convex Finance rewards.
The three lending markets are: $stETH-$ETH, $LUSD-$3CRV, and $FRAX-$USDC helping Curve LPs to optimise assets and increase earnings.
There is already ~250 ETH available in the stETH-ETH market and ~180K XAI in the LUSD-3CRV market. SiloDAO will be minting a 350K XAI credit line for each new market.
In addition, Silo developed a special wrapper contract that allows users to claim CVX/CRV rewards directly on Convex when borrowing against LP tokens.
Silo’s isolated market types are being utilised for these new markets: Curve LP deposits are non-borrowable by default. To ensure security and compatibility, Silo created custom oracles with reentrancy protection, released liquidation contracts capable of liquidating Curve LP tokens, and integrated Convex to passively farm all Convex rewards while maintaining the boost.
DefiLending #19 featured an extensive Q&A with Silo contributor Aiham. You can check it out here.