Andre Cronje Diehards Take "Test in Prod" Over The Edge With $15M Hack
Also, DIA's Paul Claudius on the "fork or no fork" dilemma he and other founders faced after KuCoin hack.
|Sep 29, 2020||3|
Hello Defiers, here’s what’s going on in decentralized finance today,
Paul Claudius on DeFi project’s decision to freeze tokens after KuCoin hack
Andre Cronje’s latest project Eminence gets hacked for $15M before going live
Suprfluid is the latest payment streaming protocol
and more :)
🙏💖 Thanking Everyone Who Has Contributed to The Defiant’s Gitcoin Grant! Only Three Days Left to Contribute!
If you like the work that we’re doing, please consider sending some love our way. It really does go a long way and even 1 Dai makes a big impact thanks to the magic of quadratic funding.
DeFi 101 will serve as an introduction into decentralized finance, with 30 planned episodes. This is not intended to be the first episode of the series but rather a standalone episode to test the ground for the future of this series. So feel free provide feedback. The video was produced in partnership with Alp Gasimov, Robin Schmidt of Harmony Protocol and DeFi Tutorials with DeFi Dad.
🙌 Together with Zerion, a simple interface to access and use decentralized finance, Perpetual Protocol, which provides decentralized perpetual contracts for any asset, and HackAtom V, a two-week virtual hackathon organized by Cosmos.
To Fork or Not to Fork - A Hack of a Question
The DeFi dilemma in the wake of the $200M KuCoin exploit.
By Paul Claudius, co-founder of oracle provider DIA
Following the recent hack of Hong Kong-based centralised crypto exchange KuCoin, many DeFi projects were quick to freeze their smart contracts and initiate a token swap to do damage control and undermine the hacker’s ability to monetise on his actions. Others rejected using centralized infrastructure to exert this power. The difference in responses brings up an age-old question in the realm of DLT: How much decentralization do we really want?
On Friday, September 25, a malicious actor or actors routed an estimated USD 200 million worth of digital assets from the exchange to an external address, affecting hundreds of thousands of users and well over 100 projects. The hack, which affected projects of all sizes, posed a looming threat of massive token dumps, potentially crashing token prices and investor morale. The community watched the event unfold in real-time via the hacker’s wallet on Etherscan and Ethplorer.
As of Saturday, September 26, smaller tranches of tokens from a broad range of projects were being sold off. This compelled projects to take mostly discretionary decisions that would potentially impact thousands of KuCoin clients and entire communities.
Pressure to Act
As the situation unfolded, the impacted projects took the initiative to support and coordinate among each other, while KuCoin was requesting projects to unilaterally initiate a fork or pause contracts.
Projects were evaluating this course of action when the hacker increased pressure by moving over two million of Ocean tokens to liquidate on Uniswap from his master wallet. The swift progression of the situation painfully highlighted the risks borne both by the vulnerabilities of centralized infrastructure as well as the continuous nature of DEXs:
Centralised infrastructure creates opportunities for hackers and decentralized infrastructure allows them to monetize on it.
The way that we deal with such situations and the decisions we take to mitigate them and what we expect from decentralized organizations and decision-making processes is - at least in part - what defines the projects themselves as well as the wider DeFi community.
Do we prefer benevolent dictators that take swift and decisive action in the interest of the community? Are we OK with surrendering the ultimate power to just one or a handful of people? Was this the root of the entire debacle in the first place? Or do we prefer the other extreme - absolute decentralization at all costs that might not reflect communities’ current sentiment and cause them to suffer an immediate adverse financial impact?
Projects such as Ocean acted quickly and diligently and paused their smart contract before initiating a token swap. Problem solved, back to business. The victims get back their funds and the hacker’s exit path is blocked. The same was true for Bitfinex (USDT), Velo Labs (VELO), VIDT_Datalink (VIDT), Silent Notary (SNTR), Covesting (COV), KardiaChain (KAI), Opacity (OPQ), Orion (ORN), and Ampleforth (AMPL), according to KuCoin. They all froze, disabled, re-issued, or swapped the compromised funds, allowing about half of the total hacked funds to be recovered.
The solution works and the projects can continue operations, yet an aftertaste of controversy remains. At DIA we consciously decided against a fork. The entire vision of DIA is a reflection of the promise of decentralization: We want to move away from centralized decision making and concentration of power in the hands of a few. Prominent DeFi teams including Synthetix, Compound, and Chainlink made the same choice.
No Pause Function
The current events highlight why we believe that tokens should be designed without a function to pause or change balances. We are proponents of giving up control to enable the community to have their say on relevant matters.
We didn’t miss the irony in the fact that we also took a central decision to stick not to fork and stick to the status quo. Especially in the early phase of a project until both the community and the project itself reach some degree of maturity, centralization can make sense to make sure that DAO structures are implemented safely.
Going forward, projects will need to strike a balance where a central set of basic specifications is laid down that determines the first set of rules of voting as well the topics on which the DAO can vote. This cornerstone decision should however also not be set in stone, but rather be open for evolution over time, as the community and the market evolves.
The widespread implementation of sensible DAO infrastructure and determination of industry-wide best practices about processes and capabilities of the DAO will enable the ecosystem to mature and communities to take more ownership of relevant decisions that directly impact them.
“KuCoinGate” in our view once again emphasizes this necessity not only on a product level but especially on a governance level. If anything, this hack solidified our belief in decentralization and we are even more eager to implement a sensible DAO structure.
To conclude, I want to quote Kain Warwick the founder of Synthetix on a tweet he shared shortly after the incident: “[...] knowing that even if I proposed a fork or something equally crazy the community would harshly reject it removes any sense of being conflicted. I am now not even in a position to make a bad choice against the will the community, and it feels amazing.”
HackAtom V is the Cosmos online hackathon. Inter-Blockchain Communication, the flagship interoperability protocol that has been in development for the past 2 years, will be launching in the Cosmos Network. Join HackAtom V (five), a 2-week virtual hackathon, to use the IBC protocol before it is launched on mainnet and be amongst the winners who will take home $50,000 in prizes, valued in the Cosmos staking token, ATOM. HackAtom V (five) is coming soon to a Devpost near you. HackAtom V starts on October 16th and will be running for 2 weeks.
Eminence Finance Exploit Leads to Degen Trader Rug Pull
The latest ‘test in prod’ experiment from Yearn founder Andre Cronje has many degen traders questioning their YOLO nature following a flash loan attack of contracts which hadn’t been officially released to the public yesterday afternoon.
Eminence Finance, an NFT gaming ecosystem which was still in development, was exploited by a hacker who stole $15M after traders rushed to farm EMN - a token meant to act as a reward stablecoin with zero inherent value.
“It's a flat currency, not a token.” Cronje commented in a private group. “Meant for non speculative ingame purchases only”.
There was no official announcement on the launch or public website. All it took was an eminence.finance Twitter account, cryptic tweets, and Cronje’s retweets, for traders to find the contracts and flood into the mysterious protocol, hoping to get in early on ‘the next YFI’.
The contracts were about 3 weeks from completion by Cronje’s account, and hadn’t been properly tested and secured. This gave one savvy hacker the opportunity to use a flash loan to drain the pool of all its funds less than three hours after the project went viral on Crypto Twitter.
A Series of Unfortunate Events
A flurry of activity rose around the release of Eminence Finance after a public Twitter account showcasing different factions or teams for popular DeFi protocols like Chainlink ‘Marines’ and Synthetix ‘Spartans’ was unveiled and retweeted by Cronje.
A series of related tweets and posts stemmed from that, including a Medium a blog post on how to “manually mint http://Yearn.finance latest creation, Eminence ($EMN).”
Once confirmed as being deployed from the primary Yearn address, many were quick to start interacting with the contract, depositing DAI to mint EMN directly through the contract prior to a front-end being available. It’s important to highlight, this wasn’t just unaudited code like the case of Sushi or Yam; there was no information or even a front-end. Nobody knew exactly what the project was. All there was were a few speculative tweets.
The premise of an NFT-based Battle Royale incubated by Cronje was enough to get degens excited, with many blindly deploying funds in a term coined as ‘aping’ - or rushing to throw money into an unaudited smart contract.
As degens began to flock into the faction of their choosing, a hacker was able to use a flash loan to mint EMN on a tight bonding curve to increase the price. For every EMN minted, the price would increase incrementally along the curve. As the price increased, the hacker burned EMN for any of the wrapped eTokens - Eminence’s native versions of popular DeFi tokens like Aave - to cause a large supply drop and increase the token price dramatically.
This gap allowed the hacker to acquire large sums of EMN and then sell the other tokens to recursively cash in DAI profits.
Image source: Banteg
15 Million Dai
In total, nearly 15M of DAI was siphoned in the process, leaving virtually all participants with nothing but a lesson in diligence to show.
Luckily for those affected, the hacker has graciously returned $8M of lost funds, good for a forthcoming 50% refund as per balances taken at a snapshot the block before the hack took place.
Now, many are left to theorize why any funds were returned at all, and whether or not this exploit marks the death of Eminence Finance before it ever began.
Risk of Unaudited Code
Cronje has signaled that the experiment is beyond recovery. Despite a fascinating premise, Andre’s diehard following has taken testing in prod over the edge, showing that not all unaudited contracts are exploit-free.
While this is certainly not the last experiment from Cronje, let Eminence show that until there is an official Medium post about a project the DeFi rockstar is affiliated with, these contracts are not meant to be toyed with.
Superfluid Unlocks Programmable Cashflows
A new money streaming protocol called Superfluid has showcased its design for a smart contract framework for recurring, gasless token distributions.
The project enables digital asset transfers according to predefined rules, repeatedly over time with one on-chain transaction. Superfluid calls the new smart contract framework enabling this is “agreements.”
“Superfluid streams are a constant flow of transactions that are executed automatically every time a new block is minted on the blockchain.”
The framework underpins ‘SuperApps’ or those leveraging the smart contract framework for new ways to issue programmable cashflows in an automated, gas-friendly fashion. Examples of Superfluid’s Real-Time Finance include:
DAOs that redirect all incoming streams to pay rewards to members
ERC20 tokens, entitling the holder to automatic reward distributions and
Yield Farming, but with automated harvesting every second
Building Off Sablier
Evolving on the premises laid forth by Sablier, Superfluid extends streamable value to a variety of use cases, giving any developer the ability to program a recurring action that is processed automatically each block, with minimal gas. These actions happen so long as there are sufficient funds in the creator’s account, meaning there is no need to pre-load an agreement like Sablier.
“In Superfluid all accounts and streams are interconnected, and liquidity isn't siloed in independent streams like in Sablier” a Superfluid developer commented in the project’s Discord.
While the project is still in its infancy, its code is available for the upcoming ETHOnline hackathon, giving teams a chance to build the first SuperApp set to make a splash in the highly composable world of DeFi.
Coinbase co-founder and CEO Brian Armstrong took a stance against taking public stances yesterday. In a controversial post, he said, Coinbase is “going to focus on being the best company we can be, and making progress toward our mission,” and it will “focus minimally on causes not directly related to the mission, including policy decisions, non-profit work, broader societal issues and political causes.
The move was controversial as it comes after thousands have taken to the streets this year in the US to protest against police brutality and racism, with many companies taking a stance to support the movement.
Crypto researcher Hasu dove into the implications of centralized stablecoins now backing most of Dai. First, he clarifies that while earlier estimates pointed to 40% of Dai collateral was made up of assets relying on centralized custody, the figure is actually close to 60% when considering the collateral ratios. But, he argues the issue is only temporary as arbitrageurs are incentivized to make an instant profit, return Dai to its peg, and unwind their stablecoin positions.
The Defiant is a daily newsletter focusing on decentralized finance, a new financial system that’s being built on top of open blockchains. The space is evolving at breakneck speed and revolutionizing tech and money. Sign up to learn more and keep up on the latest, most interesting developments. Subscribers get full access at $10/month or $100/year, while free signups get only part of the content.
About the founder: I’m Camila Russo, author of The Infinite Machine, the first book on the history of Ethereum. I was previously at Bloomberg News in New York, Madrid and Buenos Aires covering markets. I’ve extensively covered crypto and finance, and now I’m diving into DeFi, the intersection of the two.