The partial version of the smart contract programming language Vyper was found to have a serious vulnerability on July 30th, Beijing time. As a result, some important projects including Curve Finance were attacked. (For more details, please refer to the article "Vyper language has vulnerabilities, Curve and other projects are under attack".)
According to the explanation from the Curve team, due to the use of version 0.2.15 of the Vyper language in some pools (alETH, msETH, pETH), the reentrancy lock feature is disabled, allowing attackers to execute certain functions multiple times within a single transaction, resulting in some financial losses.
As for the specific amount of losses, according to earlier statistics from Pidu, the total losses for Alchemix (alETH issuer), JPEG'd (pETH issuer), Metronome (msETH issuer), deBridge, Ellipsis, and Curve CRV-ETH pool are estimated to be around $52 million.
In extreme cases, due to the ineffective absorption of concentrated selling pressure by CRV's on-chain liquidity reserves, the trading price of CRV on multiple DEXs experienced drastic fluctuations this morning. During the period from 3:05 to 3:15, the instantaneous price of the CRV/WETH pair on Uniswap almost dropped to zero, reaching a minimum of about $0.08 (it has now recovered to around $0.62).
Luckily, this extreme instantaneous price was not reported by the Chainlink oracle. According to Chainlink's feed data history, the lowest price reported by this oracle at the same time point is $0.59, thanks to the weighted quoting logic of "CEXs + DEXs". As the most commonly used oracle service in the industry, this "small" price difference may have helped Curve, Aave, and even the entire DeFi industry avoid a bigger disaster.
Let's imagine what the DeFi would have looked like this morning if Chainlink had reported $0.08 instead of $0.59.
The first speculation is that a large number of CRV collateralized positions on borrowing protocols, including Aave, would be directly exposed to liquidation risks.
Take Curve founder Michael Egorov's position as an example, which collaterally borrows a total of 292 million CRV tokens (equivalent to $181 million) on Aave, FRAXlend, Abracadabr, and Inverse, while lending out $110 million. The comprehensive liquidation price is around $0.4, so if it were the $0.08 feed price, these positions would be directly exposed to liquidation risks.
Odaily Note: Borrowing protocols like Aave now have time-weighted mechanisms in their liquidation design, so theoretically, the instantaneous price may not immediately trigger liquidation. However, this outlier obviously amplifies the impact on the weighted average, thereby increasing the liquidation risk.
Once liquidation is triggered, a large number of multiple users, including Michael Egorov, will face the risk of capital losses. Considering that the on-chain CRV liquidity capacity was already insufficient at the time, these liquidations would be difficult to execute effectively, potentially posing bad debt threats to Aave, FRAXlend, and other borrowing protocols (CRV is almost zero, and the money from liquidation sales is unlikely to cover the debt).
Meanwhile, as the liquidation progresses, CRV will continue to face even greater selling pressure, which may intensify community panic (don't forget that the founder would also have been affected at that time), leading to more severe consequences.
Overnight, several cornerstones of the DeFi world have been severely hit, which is bound to have a huge ripple effect. It's hard to imagine what the industry will look like after waking up this morning if such a situation actually occurs.
In community discussions, some people have likened Chainlink's morning price manipulation to BitMEX's "plug-pulling" incident during the 312 crash. BitMEX, as the largest contract exchange in terms of trading volume in 2020, experienced a one and a half-hour outage during the extreme 312 market situation, indirectly preventing a further market collapse. Therefore, it was jokingly referred to by many as "saving the industry."
Objectively speaking, Chainlink's situation is somewhat different from BitMEX's. It was just executing its normal "CEXs + DEXs" weighted pricing logic. Although using CEXs as one of the pricing sources may appear less decentralized in the DeFi world from the perspective of some users, given the current market conditions, CEXs still provide a more comprehensive and stable pricing (especially for altcoins). At least this time, pricing from CEXs may have saved the industry.
