DeFi Under Threat: The Consequences of the Curve Finance Hack Spread Across the Ecosystem

Yesterday's Curve Finance hack resulted in the loss of over $40 million worth of assets and a sharp drop in the price of the native Curve DAO (CRV) token.

However, crypto industry participants are far more terrified of the consequences of an exploit that could spell disaster for some of the largest decentralized lending protocols.

Curve Finance faced a major hack that took place in two stages. Initially, hackers stole about $26 million due to a re-entry vulnerability in pools. This was followed by the second stage of the attack, during which the attackers withdrew 7.1 million CRV worth $4.4 million and 7680 WETH worth $14.37 million from the CRV-ETH pool.

The incident occurred due to a vulnerability in an outdated version of the Vyper programming language, which allowed problems with re-entry into the Curve smart code. As a result, TVL dropped from $3.26 billion to $1.72 billion, a drop of nearly 46% in 24 hours.

A number of Curve DeFi projects were affected by the attack, including JPEG'd, MetronomeDAO, deBridge, and Ellipsis. The alETH-ETH Alchemix pool lost the most — $13.6 million.

Many protocols accept CRV tokens as collateral. The founder of Curve Finance took full advantage of this: Egorov took loans in the amount of $110 million in stablecoins secured by 460 million CRV worth about $290 million in several protocols.

The largest of the issued loans was provided by the well-known DeFi platform Aave V2. The $70 million loan is backed by 34% of CRV's circulating supply and has a liquidation price of $0.376 per token. If the Curve hackers try to exchange the 7 million stolen coins, the asset price will most likely fall below the Egorov liquidation point for an extended period of time. This will force him to close positions and expose creditors to the risk of incurring debt.

To add fuel to an already flammable situation, lenders are withdrawing deposits, increasing pool utilization and interest rates. Some market participants have gone even further and are actively facilitating Egorov's liquidation by raising the rate on his CRV Fraxlend position.

This catastrophic scenario did not come out of nowhere, but was the result of a failure to recognize the warning signs and reconsider CRV's collateral status.

Aave has previously experienced distressed debt in the CRV market after liquidating a large short position in January, which clearly indicated a lack of liquidity. Gauntlet, which specializes in the economics of the DeFi ecosystem, last month advised Aave management to freeze borrowing for Curve’s native token.

Now that the CRV/ETH pool has been emptied as a result of the attack, liquidity is at an all-time low. Considering that hackers currently control most of the supply of CRV on exchanges, and Yegorov's positions are approaching liquidation, it can be assumed that asset quotes could collapse at any moment. Thus, the emergence of problem debts is simply inevitable.

However, Aave is not the only one in the line of fire. The Abracadabra, Fraxlend, Inverse and Silo protocols, which accept CRV as collateral, are also at risk of massive TVL drops. An additional concern for users is the possibility that the native tokens of these platforms will be used to clear bad debts. This will provoke additional selling pressure and lead to a significant decrease in the price of coins.

Isolated risk markets such as Fraxlend and Aave V3 isolate bad debts from those who knowingly took on risk and provided funds under CRV positions; losses will be absorbed by these creditors. However, lenders that have not isolated risk, such as Aave V2 or Abracadabra's MIM, could be hit hard.

Given the widespread use of CRV as a collateral asset, the liquidation cascade could be a real test for the DeFi segment, which is still reeling from the effects of a protracted bear market.