Turns out the Feds didn’t need to lift a finger. Two of the earliest earliest DeFi protocols, Compound and Aave, both self-destructed in very different fashions this past week.
Compound
Other than those who argue DeFi dates back to Satoshi’s white paper because “Bitcoin is DeFi”, a more credible argument could be made that DeFi began in earnest in summer 2020 with the launch of Compound. In that time Compound had been considered a relatively safe and stable offering, perpetually in the top tier of protocols by value locked.
Most importantly, it had managed to avoid the ominous REKT leaderboards. This impressive streak came to a close last night. A simple bug allowed up to 250K $COMP to be minted at will.
The good news is no user funds appear to have been compromised, the issue instead looks to have been simply in allowing the overminting of the $COMP token.
Fortunately, the hack may not end up too damaging in the end. Despite the solid job in finding and exploiting the bug, the hacker does not appear to have mapped out a robust exit strategy — in some cases they simply sent funds directly to Coinbase.
Most funds are pretty closely linked to the original wallet — or the brand new wallet they sent funds to during the heist. Was this new wallet an amateurish attempt to throw sleuths off the trail? Nobody tell them about Tornado Cash!
Since the wallet’s identity is pretty well know, we’ll see if they are able to redeem the funds. Their alleged identity was also quickly doxxed by security researchers.
The issue at stake looks like an errant > instead of >=:
These bugs were tricky to catch, in part because the missing equal sign was fine in the original version, so it went overlooked in the diff.
It’s a good reminder to review Ben Hauser’s classic series on property-based-testing.
In the end, the price of the $COMP token barely budged, so the damage may be little more than a hit to its reputation.
AAVE
In contrast to the external hack, some users are claiming Aave is hacking away at its credibility from within.
With its market cap trending somewhat sideways for most of the last year, Aave has been looking for new markets to expand into.
The market they are most keen on is the oxymoronic “permissioned DeFi.” They look to be gambling that the market for permissionless DeFi has peaked, and their next growth depends on institutional money getting into the space. Institutions have massive legal hurdles to knock out before they can ape, so Aave is looking to add the FireblocksHQ whitelister to the “Aave Arc” permissioned garden.
This sparked a furious philosophical debate about the nature of DeFi.
Stani claims Aave is capable of serving dual masters in this case.
Bunny Talisman @bantg blasted the team for inching towards TradFi
At which point the conversation took a left turn into Stani attempting to enforce a puritanical dress code on top of fictitious characters.
Veering further off path, @bantg opted to redirect the attack toward the dashing deepfake Curve Market Cap video host, an innocent bystander if ever there was one.
Despite the intense debate, the Aave proposal looks well on its way to passing.
Even if it failed, Aave’s Fortune 500 clients can feel lucky that Aave thought to build a nice rug into their governance mechanism. Like an electoral college, Aave has a small council of “Guardian Angels” tasked with overriding governance decisions.
We may not need to wait for DC regulators to take down DeFi. At the moment, DeFi seems perfectly capable of taking itself out.
A key variable in the Drake Equation for calculating the odds of detecting intelligent life in the universe is the length of time a technologically advanced civilization will survive before destroying itself.
For the case of DeFi, what are the odds a protocol can broadcast incredible yields and have it detected by the barely conscious residents living on the same planet? The median survival time of a DeFi protocol before implosion may be under 2 years
For more information, check out our leaderboards at https://curvemarketcap.com/ or subscribe to our newsletter at https://curve.substack.com/.
All proceeds from subscriptions go to support crypto activism at PAC DAO. Nothing in our newsletter can be construed as financial or legal advice. The newsletter is the author’s independent opinion, no opinions are affiliated with that of Curve. Author is a $CRV/$CVX maxi, has no stake in $COMP or $AAVE.