Aug 1, 2023

Curve Finance's token (CRV) has fallen over 20% in the past three days, after the stablecoin exchange at the heart of DeFi on Ethereum fell victim to an exploit.

Video transcript

Girl finances Token has fallen roughly 20% over the past three days after the staple coin exchange at the heart of the fire material fell victim to and exploit. Joining us now to discuss is the co-founder of Blockchain, auditing firm block and the zoo. Welcome Andy. Thanks for having me here. It's a pleasure. Can you just first explain, step back, uh just explain to us how all this has happened because I know for sure that Lawrence is very upset uh how this can happen in the decentralized world. Sure. Uh I think this uh this is because of the bug uh of the compiler used by the coin to compile that my contract. There is a, a compiler called a V uh VIP uh compiler. So this compiler is used to compile the decent the casing of coin. And uh because of the box inside this comfier, some security mechanism enforced inside the decentralized applications are not effective. So the Attackers, they exploit these vulnerabilities, you know, and to join the course and to uh I think the loss is around $47 million. Uh because some of the funds have been returned by the, uh, white hat, uh, to the coin. How, how many pools were affected by this is the last I read it was five. But is it more than that, or? Uh, I think it, I, I run a five. Yeah, I, I don't have the exact number but it, it's around a five and, and, and as far as that goes, I, I mean, I, I guess, you know, to, to what Amata is hinting at is sort of uh you know, I, I think we'll get into the how, or, or, or how curves uh found or basically came in, had to step up to save the situation. Can you explain that? And also how can something be called decentralized if it requires the action of one individual to bail it out of these kind of problems? Yeah, I think, yes, I think you made a very good point. So uh basically the coin uh the the decentralized application or co co finance, they do not have an emergency mechanism to pause the protocol because this is a decentralized world, right? Everyone wants that we cannot have a centralized role to control this. But in some cases like this, if something bad happened, uh we have no way we have no natural result, you know, to solve this issue. So I think this is 11 lesson we, we learned from this uh security issues. We do, we, we, we are, we, we cannot, you know, uh just say we have pure decent word, we need to have some uh result uh to prevent some uh something bad happen. Uh And, and I think another lesson we learned from uh this security incidents is that um we cannot always trust the, you know, the infrastructure that we use to build our distance applications. Because whether this uh infrastructure has been well tested or well evaluated are, are still unknown. We should put more resources, you know, to evaluate the security of these infrastructures uh which desynchronization are relying on. So this is uh I think the the necessary I I I've seen a bunch of things uh to that point. Uh uh There are a lot of uh things floating around the uh Twitter sphere or X sphere, I guess is what we have to call it now. Uh showing potential uh uh uh vulnerable pools out there. Uh Are, does that help? I mean, there are some criticism people saying, why are you telling other people where these vulnerabilities are and you just inviting hackers? Is there a, is there a method by which people can say, hey, here are some vulnerable places. Here's how we could check the code, et cetera. I mean, do we have to kind of wait for these iterations and, and, and attacks before the market gets it right? How long will it be months, years from now before you know, we have these foolproof me mechanisms in place to keep uh to keep uh hackers from essentially attacking these pools. Yeah, that's a very good question. So uh let me be very clear. So uh we are not alerting the vulnerabilities of the coal finance. We are alerting an ongoing attack of the uh coal finance. It's a very different. So, uh so we uh the vulnerability means that there is a loophole inside the decent decentralized application, but no one has uh exploited this loophole to gain profit. An attack means that someone is uh already find this vulnerability and perform the attacks. So basically, we needed to alert the ongoing attacks not to the vulnerabilities. That's because if we alert to the vulnerabilities, the bad guys, the, the, the, the the the better guys, they will exploit these vulnerabilities because, you know, it's, it's, it's not public. But for the attack, we think it's necessary to alert the attack because the attack is currently happening. That means the bad guys already figure out everything and we need to alert the users, you know, to withdraw their funds immediately, the foreign report instead of we just waiting to, to be joined by uh join everything, every tokens or every assets they have. So this is the uh critical difference between the vulnerabilities and the, the hacks. So just to follow up on Lawrence's question here about, you know, centralization versus decentralization and just looking at the larger picture here for the vast majority of the planet who has no idea how to make sense of this. Why does this keep happening? Like, you know, there's so many hacks, a lot of them have been aimed at d, the whole idea of D I, right is to, like, avoid a honeypot. It's decentralized. Right. There's not one central thing that, like, that's the whole, like, it had one job kind of, you know. So why, why, why does this keep happening? Like, what's the sort of what's the, what's the common theme through all these hacks? Yeah. Yeah, I think every coin has two sides. So from one side of the decentralized things means that if we do not need to trust the one single person like the, the the centralized award. But from another uh perspective, uh the descent means uh the decentralized and openness means that everyone can interact with the protocol, everyone can find the vulnerability of the protocol and everyone can attack the protocol, right? So if it, if it's a synchronized uh and uh uh uh applications, then you may, you may need some, you may need some permissions, you know, to interact with this protocol. But for decentralized application, everyone can attack, everyone can um can can attack the protocol if the I want to be here. So this is a dark side of the uh decentralized word. So in summary, I think we have, you know, uh two sides of a coin, the good, the good side and a bad side. So we cannot just say decent is good or bad uh without, you know, consider all the advantage and the uh disadvantages. All right. Uh you know, co founder Michael A has floated a new liquidity pool to buy time. And Justin Sun, the founder of Tron, uh the usual knight and shining armor of uh crypto has purchased about 5 million crv. Uh What is, what, what does that mean? Uh is, is that a placebo effect or the medicine? Oh That means that because of the, because the the price of the crv token is uh decreasing. So he needed to, you know, to put more tokens as an uh uh as a collateral uh in order to, to be avoided to be liquidated because, you know, the value of the uh collector is decreasing. Um I think this uh the the consequence of this uh may be uh unknown, we will see because uh whether they will affect other ports are, are still unknown. Uh And whether there are some other consequence will cause uh we are, we are we, we are, we are known about this, you know, uh block sec uh tweeted about the re entrancing bug uh in wiper a programming language. I'll say that again. Wiper programming language used to power parts of the system. Why is this significant in this entire incident event? OK. This is because many applications are built on are built using this comp complainer, right? So if there is a bug inside a comp complainer, even the developers of the application, they do not make any fault. But because of the bug inside the comp complainer, the generated decentralized applications will be buggy and will be vulnerable, will be attacked. That's exactly the case of how a coin is, right. So the, the DC application is right, because they use the to prevent the rea but the compiler has bugs, the compiler doesn't enforce the correct logic of the decent applications. That's, that's the issue and it's a fundamental issue. Now, we, we, uh my understanding is if we get down to below 37 cents on curve, the CRV, that we're gonna have some, that he'll be liquidated. Uh Do we know about some of the after effects that could happen in that case or is that still remains to be seen? Uh I think we, we, we will wait to see. So I, I cannot give you the exact consequence currently. OK. All right. OK. Uh Thank you Andy. Uh That was great. Uh That was a co-founder of block Andy. So, uh thank you very much for coming on.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.