Author: Luke (DeFi enthusiast, Cobo Argus product manager)

The DeFi world has been in crisis these days due to the latest attack on Curve. Since the attack on July 30, the price of CRV has plummeted from 0.74 USDT to below 0.5 USDT. It rebounded slightly today and is currently stable above 0.6 USDT. Although it has been found that the attack was caused by a bug in the old version of Ethereum programming language Vyper, the crisis facing Curve has not been eliminated.

Since the founder of Curve will hold a large amount of CRV for collateralized lending on the chain, once the price drops further, it is possible that a large amount of CRV will be liquidated, forming a chain of liquidations, and it is not impossible for the CRV price to return to zero. As one of the largest protocols in the DeFi field, the latest crisis faced by Curve has once again dealt a major blow to the security and credibility of DeFi, which may also have many adverse effects on the future development of DeFi.

Here, the author only discusses how to prevent similar potential risks in daily DeFi mining from the perspective of miners participating in DeFi mining, and what feasible solutions and tools can be used.

Background

First, let’s briefly review the Curve crisis through a timeline.

On July 30, at 21:34, the pETH-ETH pool on Curve was attacked, and the price of pETH fell to $383. At 22:50, the msETH-ETH pool on Curve was attacked. At 23:34, the alETH-ETH on Curve was attacked.

At 0:44 on July 31, the Ethereum programming language Vyper tweeted that the reentry locks of Vyper versions 0.2.15, 0.2.16, and 0.3.0 were invalid.

At 0:45, Curve tweeted that due to a reentry lock failure, the stablecoin pool (alETH/msETH/pETH) using Vyper 0.2.15 was attacked, and other pools were safe.

At 3:08, CRV-ETH was attacked, and the on-chain CRV fell to a minimum of around 0.08.

At 16:41, Curve tweeted that everyone should remove the liquidity of the Tricrypto pool on Arb. Although it has not been attacked, the pool may also be at risk.

Due to the attack on Curve, a large number of abnormal events also occurred on the chain. The price of CRV plummeted, and the panic of mich's loan positions being liquidated caused users to withdraw liquidity from Aave, and the interest rates of USDC and USDT increased abnormally. The DeFi world is involved in a series of related risks.

Cause Analysis

The special thing about this security incident is that it was a bug in the smart contract language that caused the reentrancy lock defense of some well-known projects to fail. Fortunately, the problem was with Vyper rather than Solidity, otherwise the entire DeFi world might be in danger.

DeFi has attracted a large number of users to participate because of its low friction cost and composability, as well as increased investment income higher than the traditional world. However, wallet security and smart contract security have always been the sword of Damocles hanging over DeFi.

The collapse of time-tested old protocols such as Euler and Curve has indeed caused many DeFi believers to begin to lose confidence. Once a problem occurs in the protocol, the entire principal is often lost. In addition to smart contract risks, there are also phishing risks, private key leakage risks, etc. How to achieve both security and efficiency when participating in DeFi has always been a problem that has plagued the industry.

The Cobo team has been active in the DeFi field for a long time and is also known for its focus on security. Within Cobo, there is already a set of internal solutions for various DeFi security issues. The Cobo team has now productized this internal solution and launched Cobo Argus, a solution for DeFi scenarios, and quickly reached a TVL of 100 million US dollars after the new version was launched.

preventive solution

It is almost impossible to prevent incidents like what happened to Curve last night. For ordinary DeFi miners, they can only see whether they can find the problem and take countermeasures in the first time. In this case, if tools such as Cobo Argus can be used properly, it will be of great help. The withdrawal robot function provided by Cobo Argus can monitor the risk indicators on the chain and help users withdraw in the first time when abnormalities occur.

The following is a detailed analysis of how to use the withdrawal robot on Cobo Argus based on Curve:

When there are problems with the Curve pool, there are two obvious signs:

1. There has been a significant degree of decoupling of the pegged assets;

2. Due to hacker attacks and the flight of large investors, TVL dropped sharply.

If we use Cobo Argus, we can set these two monitoring indicators to monitor the proportion of a certain token in the LP pool and the comparison between the principal invested by the user and the total amount of funds in the LP pool. In this way, we can monitor the anomaly in the first place and the robot will automatically withdraw the principal.

In general, most users only learn about the risks of the DeFi protocol through warnings from white hats on Twitter. By then, several hours may have passed since the attack, and there is no chance to save the principal.

By using robots to monitor risk indicators on the chain and automatically evacuate as soon as there are risk signals, it can effectively help users save their assets.

Hacker attacks, token decoupling, loan agreement runs...all kinds of on-chain risk events can be monitored through some specific indicators. Cobo Argus also allows users to set up custom robots, custom monitoring indicators and contract calls after the robots are triggered.

For expert users with good DeFi knowledge, they can set the monitoring values ​​and robot actions themselves, and in theory, they can be used on any DeFi protocol. In the Cobo Arugs community, a user recently saved his assets from a lending agreement by using a custom robot.

All these functions are decentralized and trustless - the robot is operated and maintained by Cobo, but the robot can only execute DeFi operations authorized by the user and cannot perform other operations beyond the authorization. All authorizations will be recorded in a non-upgradeable smart contract. The contract code and authorization records are completely transparent on the chain and can be audited by anyone.

To add, Cobo Argus’ smart contract is based on the plugin function of Safe{Wallet}. Safe{Wallet} is the largest, highest TVL, and most recognized safest multi-signature wallet in the Ethereum ecosystem. Most DeFi protocols use Safe{Wallet} to manage the treasury. Plugin is the latest capability launched by Safe{Wallet}, which supports third-party developers to expand the capabilities of Safe{Wallet} by writing plugins.

Cobo has always had close ties with the Safe{Wallet} team and developed Cobo Argus in the early days of the plugin capability launch. Based on Safe{Wallet}, a series of solutions were launched for DeFi scenarios:

  • DeFi authorization: You can authorize a wallet to execute specific DeFi protocol operation permissions with a single signature. Although using Safe{Wallet} and hardware wallets is relatively safe, the use process is inefficient and cumbersome, and is not suitable for frequent DeFi operations, especially when DeFi protocol crashes occur, this inefficiency and cumbersomeness is often fatal.

By authorizing a specific permission to a certain address for single-signature execution, efficiency can be improved without reducing security, because this address can only perform specific authorized operations and cannot exceed its authority or transfer the principal.

Through the authorization function of Cobo Argus, you can avoid situations such as phishing and misoperation, leakage of hot wallet private keys and loss of all principal, and malicious transfer of funds within the team.

  • DeFi Robot: Based on the DeFi authorization function, Cobo Argus has launched a robot function that supports users to authorize specific DeFi protocol permissions to the robot, and then the robot performs automated operations, such as automatic claim rewards, automatic selling and reinvestment, and automatic withdrawal.

At present, Cobo Argus is already used by many DeFi asset management teams and individual DeFi Whales, which not only improves DeFi efficiency but also strengthens asset security protection. Recently, projects such as Solv and izumi have also used Cobo Argus as the underlying decentralization and security tool. In the future, Cobo will continue to innovate, protect ordinary users and builders in the industry, and promote innovation and progress in the industry.

Finally, DeFi still has unlimited potential in the long run, but mining in the DeFi world can never avoid potential risks, so I hope everyone will participate with caution. "If you want to do your work well, you must first sharpen your tools." While DeFi miners are more vigilant and accumulate experience, they can also use tools to best respond to different risks.