$70 million was stolen in total this weekend and Had platforms like Aave or other DeFi lending protocols used the (now drained) CRV/ETH Curve pool as an on-chain oracle, they would have gotten completely rekt with bad debt, are two quotes from the original article that highlight the risks of automated trading in the world of decentralized finance (DeFi). This weekend’s spate of attacks on several key DeFi platforms, including Curve Finance, Alchemix, Pendle, Metronome, and JPEG, resulted in $70 million being stolen in total. In response, DeFi lenders began pulling funds out of other DeFi platforms, spiking borrowing fees across the specialized financial subsector.
White-hat hackers were able to remove assets from a few lending pools on Curve to prevent their theft, and three out of the five total malicious attacks were apparently front run by MEV (maximal extractable value) experts. MEV is a controversial, but unstoppable aspect of how public blockchains work, which allows third-parties and automated machines to search out and reorder unfinalized transactions waiting in the mempool for profit.
The nature of the attacks is apparently rooted in vulnerabilities found in a programming language called Vyper used specifically to launch smart contracts on Ethereum. Chainlink, the on-chain data provider, is also receiving some praise for preventing sector-wide collateral damage in the attack.
In light of this recent black eye for DeFi, considering that even on-chain trade execution can apparently go so wrong, it seems like an outsized risk to take out the only benefit that blockchain brings to commerce: immutability and transparency. Crypto traders have demonstrated that they would often be willing to trade in some of the assurances of fully on-chain crypto for better prices, faster transactions or just a leg-up, but this weekend’s attacks highlight the risks of automated trading.