August 2, 2023: Post Mortem Vita ⚰️🥀
Analyses of the Curve hack and recovery efforts
Despite the tragedy of the weekend, yesterday it was too noisy to mourn properly. Instead all eyes were glued to the high stakes game of cat and mouse...
August 1, 2023: Loan Sharks 🦈💸
The Llama Risk team is back, proving once again they are the cream of the crop. In the day since the Curve hack, they’ve put together a highly detailed post-mortem covering the reentrancy exploit that hammered four Curve pools over the weekend. Must read…
Fortunately, the unhinged mob pursuing Michi is temporarily regrouping to catch their breath. Unfortunately, it looks as though they’ll be back out in full force soon enough, but we suspect he’ll be ready as always.
If you’re seeking play-by-play of the jealous house hunters, you’re on the wrong Substack. Mostly because we find it tedious and uninteresting, except for the mild chuckles we get every time Mich thwarts his inept predators. Mich not getting liquidated five years into his high stakes game is not news… call us if it happens.
More pointedly, it veers too close to “financial advice” in our opinion, since it tends to encompass people trying to trade this effect. We’re neither qualified nor eager to provide financial advice on this Substack. That said, traders who want to learn how to profit off these moves should read this well written article on some of the specific effects of the aftermath on markets:
We will instead posit some light alfa for builders who are looking for an idea with legs in a DeFi bear market.
With several debt protocols considering treating a whale-sized user of their platforms quite rudely, and with Curve reluctant to back $crvUSD with $CRV or Curve LP tokens… there’s probably a hefty opportunity for somebody to launch their own debt platform that’s friendly to whales. Integrate the friendly $crvUSD style liquidation mechanism Mich professes to prefer, and who knows, you might become a power player in short order.
At any rate, while Michi is busy artfully dodging the loan sharks, the rest of the Curve community has a brief respite. Let us properly pay homage to the deceased.
In the digital ether, we bid adieu to alETH, msETH, pETH, and CRV ETH pools; bright tokens of encrypted promise extinguished too soon. Their whispers were of innovation and daring, dancing within the fluctuating tides of our nascent crypto cosmos. Stoic sentinels in the ceaseless ebb of commerce, they bore testament to our quest for financial autonomy.
Now silenced, they echo still in the virtual machine, their spectral footprints a solemn requiem to resilience. As the stars weep binary tears, their absence engraves upon us an indelible lesson: even in absence, we are eternally connected, each loss a shared vulnerability, each triumph a collective ascent.
Sic transit gloria mundi; thus they pass, but not into oblivion. For in their departure, we reach towards a greater constellation - one shaped by unity, trust, and relentless pursuit of security. Farewell, luminous guardians of our digital dreams. You'll endure in the eternity of code, each byte a sonnet to your celestial dance.
A moment of silence.
The time since the hack has been a time for mourning and reflection. For affected LPs, which include us, the book has not been closed. The team has communicated clearly and effectively that negotiations with the parties to the hack are ongoing. Like all victims of this hack, we’re waiting patiently for more updates from the team and excited to see progress.
Helping with the JPEG’d case is the absolute best of the best.
The news is even better out of Metronome, which was able to recover a significant portion of funds.
Alchemix is working hard, but no public details just yet.
The two hacks of the CRV/ETH pool were partly recovered by the legendary c0ffeebabe.eth in the immediate aftermath, but no word yet on the other part of the hack.
Affected LPs should stay patient — teams are working hard and announcements will no doubt trickle out in the near future. Comms is tough when situations are developing and you need to be very precise in your language. We’ll all hear soon enough, just enjoy the show or touch grass until then!
Meanwhile, as for the hack itself, some fascinating reviews are dropping. Yesterday we posted the Llama Risk Postmortem.
As always, professional and speedy work detailing the precise details of the incident and available options. For Curve, the work is clear and appears to be underway. Already around the Curve UI we’re seeing precautionary measures put in place while the team researches, such as temporarily disabling creation of new pools.
The Vyper post-mortem is particularly painful as a Vyper fan. Much of the work was from a long time ago and a very different era in Vyper history.
The tragedy is that this bug was recognized at the time, but it also happened when the skeleton crew managing Vyper was in a state of flux, so it didn’t get noted widely amidst the chaos from the changing of the guards. Nor did anybody outside Vyper notice really, including hackers, until just this past weekend.
The good news is that the Vyper team is not sitting idly by trying to suck the venom from their snek wounds. The team appears not downtrodden but energized by this development. So many improvements in terms of security features and operating processes had already taken place in the intervening time, so it already feels like leftover baggage from era. There has been much discussion about how to get Vyper the funding it badly needs and the team is producing some innovative ideas for how to prevent and fend off future attacks. Worth keeping an eye on Vyper and how it bounces back from this issue.
Saving the best for last, the most thrilling retrospective was authored by Robert Chen on the perspective from inside the war room. It reads like a fast-paced action movie.
The timeline is careful not to point fingers, but does note the competing incentives around one of the more interesting debates to emerge from the event… the problem with over-communication during hacks.
As Chen notes, the incentives for auditors diverge from the incentives of the protocols at risk.
More likes leads to more business, so we know what they will choose every time.
It’s not an easy debate, but it’s the sort of debate that the crypto community should be having, as opposed to the inane chatter about Mich’s house.