‘Curve Wars’ Heat Up: Emergency DAO Invoked After ‘Clear Governance Attack’
In a governance first, Curve has halted rewards emissions to a pool after it deemed a protocol’s behavior a “clear governance attack.”
The latest salvo in the multibillion-dollar “Curve Wars” might be the most daring yet, and the protocol’s response has revealed deep ideological fissures in the decentralized finance (DeFi) community.
Curve.Finance is the largest DeFi protocol with $20.8 billion in total value locked (TVL), according to CoinGecko. The protocol holds a vital place in the DeFi universe because of its CRV token rewards emissions – a key source of income for multiple other protocols and one of the foundational pillars of a rapidly growing $270 billion market.
On Wednesday night, a young project – memecoin-flavored Mochi Inu – executed a series of transactions that tilted CRV rewards in its favor by using a token-locking mechanism in Convex Finance, a yield farming protocol built on top of Curve.
This jockeying for CRV emission rewards is a common practice among protocols and is often referred to as the “Curve Wars.”
In a Twitter thread Thursday morning, Mochi formally announced themselves as a new player in the Curve Wars, writing that “Curve is the backbone of DeFi, and Convex is the kingmaker of Curve.”
Shortly after the transactions, however, the Curve Emergency DAO, a nine-person group using a multisignature scheme with limited governance powers over CRV reward emissions, cut off Mochi’s rewards, and in a governance forum post, semi-anonymous Curve contributor Charlie wrote that Mochi’s overnight actions were a “clear governance attack.”
In an interview with CoinDesk semi-anonymous Mochi founder AZ, also often referred to as Azeem, said that the Emergency DAO’s security concerns were “reasonable” and that he hopes to address those concerns in the coming weeks.
Nonetheless, the decision from the decentralized autonomous organization, or DAO, has prompted much community debate, as some have argued that the protocol should not single out any one user and that blacklisting another protocol runs against DeFi’s open, permissionless ethos.
In an interview with CoinDesk, Charlie said that the decision to cut off Mochi’s CRV rewards wasn’t made lightly, but that the situation was unique.
“I hate this ‘I need protection’ meme we’ve seen from Gensler,” he said, referring to U.S. Securities and Exchange Commission Chairman Gary Gensler. “Curve definitely doesn’t want to be gatekeepers or protectors, but we gotta draw the line somewhere when it comes to bad behavior. Mochi crossed it seven times over last night.”
Exploitative or exploit?
Regardless of whether Mochi’s maneuvering was an attack or a clever abuse of various DeFi protocols’ utility, the events were a remarkable display of the interconnected nature of the DeFi ecosystem, spanning multiple projects and layered functions.
Curve is a decentralized exchange tool primarily designed for swapping assets that are similar to each other, such as different stablecoins or ETH and its staked derivatives such as stETH. Curve’s liquidity providers are rewarded with CRV, the protocol’s governance token.
At the core of Mochi’s “governance attack” is veCRV – voting escrow Curve, a locked version of CRV that grants holders the ability to vote on “boosting” CRV rewards to certain liquidity pools. Throughout 2021, various protocols have vied to accumulate CRV and lock it as veCRV in order to boost rewards to pools that will benefit them. As a result, locked Curve is a popular metric to track:
Mochi, a platform similar to asset-backed stablecoin issuers Spell and MakerDAO, gave users incentives to deposit assets in a Curve pool that included USDC, USDT, DAI and Mochi’s native stablecoin USDM leading into Wednesday night’s events, ultimately attracting over $170.2 million in liquidity at its peak, according to Azeem.
A final key cog in the events is Convex Finance. Convex is a protocol designed to maximize CRV rewards, and the protocol is now the largest veCRV holder with 136.58 million tokens, which is more than a third of CRV’s circulating supply. Users who lock Convex’s CVX token have the right to vote proportionally on how the protocol’s tokens are used for boosting the rate of rewards.
This would have allowed them to vote on additional CRV rewards for the Mochi pool, which in turn would have attracted additional liquidity, allowing them to swap even more USDM for stablecoins to buy more CVX – ultimately creating a flywheel heavily tilting CRV rewards in their favor and attracting huge sums of liquidity to their platform.
Multiple observers have noted that KeeperDAO, FRAX, Olympus, CREAM and other DAO communities are voting or have voted to pursue similar strategies (if at a smaller scale), but the demands of public governance have slowed them down, and they couldn’t unilaterally move to seize voting power the way Mochi did.
As Mochi’s transactions unfolded, DeFi community members were quick to point out that the young protocol had numerous security and operational flaws, including that the team could arbitrarily print more USDM and that the price oracle for the token – a key piece of infrastructure that is often the target of hackers – was manually set by a team member’s address.
Additionally, Azeem is a controversial figure in the DeFi sector. While running the Armor.fi insurance protocol, the developer was accused of personally deciding not to pay a user with a legitimate claim in February. Later that month, following a social engineering attack on an Armor team member that resulted in a $1 million loss, Azeem defended his colleague by saying that the developer was “sleepy and tired,” a phrase that has become widely mocked.
Multiple high-profile DeFi developers criticized Tuesday night’s scheme, with Yearn.Finance founder Andre Cronje referring to the transactions as “amazingly scammy.”
In an interview with CoinDesk, Banteg, a pseudonymous Yearn core contributor and one of the nine members of the Curve Emergency DAO, said the flywheel was dangerous given USDM’s dubious backing.
“Internal thinking was around mitigating the feedback loop Andre described when he first drew attention to the issue. With high concentration of votes towards one pool, it could cut into other pools, ultimately hurting Curve [liquidity providers],” Banteg said. “We know for a fact USDM is a worthless collateral. In retrospect, Curve DAO should’ve done a better due diligence on it.”
The Emergency DAO ultimately elected to cut off the Mochi pool’s rewards. At the time of writing, the pool has more than 31 million USDM valued at $0.49 per token and $1.3 million in stablecoins. Banteg noted he wasn’t among the signers on the transaction that ended emissions to Mochi’s pool.
Charlie said that the lack of basic security practices and not Azeem’s reputation led the DAO to take the unprecedented action. This is the first time the Emergency DAO has been invoked.
“I don’t think this Mochi situation is comparable to any other protocol building around Curve. There is a clear pattern of misbehavior and lack of concern for security, best practices and users’ funds,” Charlie said.
“I’m aware [Azeem] hasn’t got the best reputation, but I also don’t know about what happened with those other projects, and I prefer to work with the information I do have.”
Azeem told CoinDesk that Mochi will address the security concerns expressed by the Emergency DAO and that the team plans to add “more secure multisig structure with additional signer requirements per transaction, suitable LTV (loan to value) parameters and clear tokenomics.”
“Once these are resolved we believe the gauge reinstatement will be deemed suitable, independent of strategic fears the whales and influencers may have with respect to our bold approach to gaining voting power in the DAO,” he said.
Rules of engagement
Mochi’s aggressive strategy and Curve’s ensuing governance action have prompted significant debate in the DeFi community.
Azeem blamed an unnamed “DeFi cartel” for how Mochi Inu has been treated, saying that Mochi poses a threat to the Curve Wars status quo.
“They are shocked and feel threatened that a small player on the outskirts of the Curve/Convex ecosystem became a powerhouse and a threat to their fledgling monopolies overnight. Is this not DeFi?” he asked.
Likewise, a number of observers have criticized both the existence of the Emergency DAO and that they chose to act, saying that signaling out a single user is inappropriate in what should be a permissionless system.
Regardless of the controversy, Curve’s Charlie expressed some relief that there are now clear rules of engagement in the Curve Wars.
“I’m somewhat glad we drew the line of what a protocol can and can’t do. We’ve seen an escalation of bribes with different protocols trying to grab more and more power with Convex and Curve.”
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.