August 30, 2021: Rug or Bug? 🪳⚖️

Judging malfeasance among Curve, Sushi, CREAM, EIP-1559 + more

Crypto’s a dangerous place. When you’re aping at the bleeding edge of technology, you’re bound to run up against various coding flaws. Are they bugs or rugs?

Let’s review the latest issues and judge whether they are innocent mistakes or malicious attacks.

POLYGON TRICRYPTO

An issue was reported on Curve Polygon TriCrypto, with users encouraged to migrate:

Curve Finance @CurveFinance

We have discovered a small issue in the atricrypto2, this only affects the atricrypto2 on Polygon. There was no loss but we ask LPs to migrate to its new version (atricrypto3). To migrate, please visit the withdraw page (polygon.curve.fi/atricrypto2/wi…) and click the migrate button.

polygon.curve.fiCurve.fiCurve is an exchange liquidity pool on Ethereum designed for: extremely efficient stablecoin trading, low risk, supplemental fee income for liquidity providers, without an opportunity cost.

11:33 PM ∙ Aug 26, 2021

---

Tough call — Curve has yet to rug people en masse. Nor does Curve tend to have bugs.

TriCrypto is still first-of-its-kind technology though, with no particular way to test but to deploy into prod. We’ve not yet seen full details of the issue, so we’re purely speculating here. Since no users lost money and Curve put up a nice interface to help users migrate, we’re fairly certain it’s not a rug.

VERDICT: BUG

SUSHI MISO VULNERABILITY

This announcement turned people’s heads:

samczsun @samczsun

Just pulled off maybe the biggest whitehat rescue ever. Story time soon 🔥

6:42 PM ∙ Aug 17, 2021

---

The write-up of the vulnerability is a gripping read of how he identified and exploited the vulnerability in the span of just half an hour. The exploit allowed for wiring some ETH to the `batch` endpoint. This endpoint ran a loop that checked the value of ETH exceeded a minimum, but re-used this for each step of the loop. The same ETH could be used to bid on multiple contracts. Then, the exploiter simply needed to lose these bids to claim multiple refunds with their single bid. This could have drained $350MM!

Joseph Delong 🔱 @josephdelong

Sushi has paid a bounty of $1M in USDC to @samczsun for his assistance in discovering and mitigating a Miso vulnerability. etherscan.io/tx/0x92d4c6643…

5:56 PM ∙ Aug 27, 2021

---

Curve Finance @CurveFinance

Being a white hat definitely pays well!

Joseph Delong 🔱 @josephdelong

Sushi has paid a bounty of $1M in USDC to @samczsun for his assistance in discovering and mitigating a Miso vulnerability. https://t.co/leaaPeMMSv

5:40 PM ∙ Aug 28, 2021

---

A million dollar bounty is quite a nice haul, albeit less than a percent of the overall opportunity. Since an intentional exploit could have been worth so much more, this doesn’t smell like a rug.

VERDICT: BUG

CREAM RE-ENTRANCY

Nearly 418,311,571 $AMP and 1300 ETH drained from CREAM in the form of a flash loan re-entrancy attack.

Cream Finance 🍦 @CreamdotFinance

C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract. We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.

7:52 AM ∙ Aug 30, 2021

---

The initial value of the hack was $25MM, but after the prices of the tokens dropped it’s down to around $19MM. The $AMP token price dropped the most (-30%), even though early blame is being tossed towards the $CREAM team (-6%).

m₳wenyo @mawenyo

To be clear, CREAM got hacked, not $AMP. Christmas in August for an entry or a DCA. I definitely stacked more. Thanks, panic sellers!

12:43 PM ∙ Aug 30, 2021

---

$AMP @SoMuchAMP

Well this explains $AMP's price movement over the last 8 hours

cryptopotato.comTwice in 6 Months: Cream Finance Exploited for $25 Million in ETH and AMPThe decentralized finance protocol Cream Finance suffered another security breach with roughly $25 million stolen from the platform.

12:42 PM ∙ Aug 30, 2021

---

It’s too early for a post-mortem. If the fault was indeed with the CREAM code, it would be the second major exploit in six months. When a protocol gets hacked twice, it becomes a bit more suspect. By some indications, it may have even been a bug auditors actually caught ahead of time:

Josu San Martin @josusanmartin

Cream Finance was audited by @trailofbits in January 2021: docs.cream.finance/audit-report The hack could have been prevented if they had followed the Audits recommendations for new token listings in "Appendix B. Token Integration Checklist" (continues)

docs.cream.financeAudit Report

12:40 PM ∙ Aug 30, 2021

VERDICT: TOO EARLY TO SAY

CURVE VOTES 63-72

The payload for a few Curve votes were borked.

banteg @bantg

PSA Don't bribe Curve votes 63-72, they have borked payload.

Charlie Watkins @charlie_eth

@NourHaridy @bantg Can confirm yes. We were in the process of putting up new replacement votes. Will DM to discuss.

8:38 AM ∙ Aug 28, 2021

---

Governance shenanigans are a terrible thing, just ask any $UNI holder. In this case, the issues and replacements are being disclosed with full transparency. No funds or obvious attack vector. Nobody appears to be crying foul. Jimmy Carter’s sleeping peacefully.

VERDICT: BUG

NFT Censorship

Centralized companies are prohibiting access to charity.

ChainLinkGod.eth 2.0 @ChainLinkGod

Launch an NFT for charity, twitter censors the tweet, very cool thanks internet tech monopoly 👍

5:10 PM ∙ Aug 28, 2021

---

That’s approaching cartoon villain levels of evil.

VERDICT: RUG

GREEDEN-GETH

A clever new repository to allow miners to switch between whichever block nets them the most profit.

MEV Senpai @mevintern

.@NathanWorsley_, @0x9116, eranralf, @GrugCapital & i are happy to announce greeden-geth, a fork of eden-geth with a greedy algorithm to switch between eden, flashbots, and normal blocks it picks whatever is most profitable!

github.comGitHub - CodeForcer/greeden-geth: Geth client which picks the most profitable blocks to mine using a greedy algorithmGeth client which picks the most profitable blocks to mine using a greedy algorithm - GitHub - CodeForcer/greeden-geth: Geth client which picks the most profitable blocks to mine using a greedy alg...

10:55 PM ∙ Aug 29, 2021

---

It’s a machine for efficiently transferring money from the pockets of users to miners. Pretty clearly an intentional rugging built into the base layer of Ethereum, and a genius one at that.

VERDICT: RUG

EIP-1559

With gas prices hovering in high double digits, Ethereum is becoming unusable for plebs once again.

Joseph Delong 🔱 @josephdelong

Maybe EIP1559 wasn’t as brilliant at we thought. Fight me

12:52 AM ∙ Aug 30, 2021

---

// Josh McGruff @JoshMcGruff

Gas prices getting so bad the U.S. might invade Ethereum

9:51 PM ∙ Aug 29, 2021

---

The effect of EIP-1559 is a complicated issue, which we dove into some last week. Certainly gas prices are very high, yet we still see experts presenting complex models for why it’s in fact a good thing.

nick.eth @nicksdjohnson

Has 1559 reduced over-spending on gas fees? I used BigQuery to try and find out. First, we need to define overspend; my working definition is the difference between the gas price the user paid and the lowest nonzero gas price in that block (or 1 GWEI, whichever is higher).

3:45 AM ∙ Aug 30, 2021

---

Ryan Berckmans @RyanBerckmans

Last month, ETH holders would have saved an additional $48M per day if proof of stake was already fully live. This $48M per day is on top of the $16M per day already saved by EIP-1559 burning ETH. Here's a chart showing how PoS delivers 3x additional cost savings vs. EIP-1559:

5:14 PM ∙ Aug 28, 2021

---

There is an element of caveat emptor. Nobody who read the fine print expected EIP-1559 would lower gas fees.

/r/Ethereum @r_Ethereum

Every time someone mentions 1559 and gas fees... #Ethereum

ift.ttr/ethereum - Every time someone mentions 1559 and gas fees...78 votes and 18 comments so far on Reddit

9:53 PM ∙ Aug 27, 2021

---

It’s a tough call here. On balance, we’re still supportive of EIP-1559. The transactions run so quickly and easily when sent using a supportive protocol like Brownie. It’s clearly a necessary step for scaling. Our heaviest criticism is reserved for wallets like MetaMask, which were still pushing legacy transactions well after EIP-1559 was enabled.

Nonetheless, we observe that common plebs did not have a good understanding of EIP-1559. Too many non-technical users held onto the erroneous belief that it would have the effect of lowering gas fees. The overly technical explanations clearly misled people, and too little work was put into correcting these misconceptions. Further, while it was by no means the onus of the dev team to get the community onboard, they could nonetheless have eased the transition by delaying rollout until most major wallets had support. Additionally, a pattern is starting to develop: every major change tends to redound to the benefit of increasing miner revenue.

VERDICT: RUG

---

For more info, check our live market data at https://curvemarketcap.com/ or our subscribe to our daily newsletter at https://curve.substack.com/. Nothing in our newsletter can be construed as financial advice. Author is a $CRV maximalist and owns some $ETH and has a position in Curve’s Ironbank pool.