The rise of DeFi and the billions of dollars worth of assets flowing through smart contracts on Ethereum has produced a growing crop of technical auditors, who scour code for any parameter or permission that can be exploited for financial gain. They’ve been busy lately, although many are just yolo’ing into a mainnet launch.
Ask any auditor what opens up the largest attack vector, and inevitably, the answer will be “governance”. Smart contract risks and exploits can be limited to the existing permissions of the contract, but governance – by definition – sets rules for the rest of the system, so co-opting it is akin to a 51% attack on a base layer chain.
Maker was the first project to fear a governance attack from rogue token accumulation. In the migration to multi-collateral Dai, it lowered its governance delay to 0, which meant that an attacker with $41m in MKR could coopt governance and drain all the collateral, according to security researcher Micah Zoltu. Maker later increased the Governance Security Module (GSM) to a 24 hour delay, so there would be time to insulate the system from the attack.
The source of the vulnerability to this attack is obvious: MKR is a freely traded token that also contains governance rights. An attacker does not have to infiltrate the system, just accumulate MKR and acquire the governance power it entails.
Liquid governance means that control of the system can be transferred, and inevitably, traded on the open market. Time locks help protect against flashloan attacks and locking up tokens for governance keeps short-term speculators out, but optimizing an ideal governance system is like nailing jello to the wall.
CRV & YFI
Curve.Finance (CRV) and yEarn.Finance (YFI) are two of the hottest DeFi projects, both of whom launched liquidity mining incentives and on-chain governance systems within the last 6 weeks.
They were both crucial to each other’s success. Curve has $1.1bn in deposits and $734m of those are from yEarn’s Y pool, which offers efficient trading between yEarn’s interest-optimized version of Dai, USDT, USDC and TUSD. Meanwhile, the YFI token was distributed through the same Curve pool.
Curve Finance proposed that CRV holders who lock up their tokens in a voting escrow can multiply their rewards by up to 2.5x, starting Aug. 28.
Token holders of yEarn Finance, which holds roughly $2.5M worth of CRV from its early liquidity provider rewards, decided to take advantage of the new incentive, locking the entirety of their CRV treasury for 4 years (the max duration).
But Curve’s core team locked up their own tokens too, overpowering yEarn’s and every other token holder in the voting escrow. They’re effectively holding ~71% of the DAO’s governance power at the time of writing.
Curve Finance is now encouraging others to lock tokens in order to dilute their super-majority power, but it’s clear that the Curve team intends to remain in control of protocol governance. Governance “moves” like this will increase and while the dust settles, a couple thoughts:
You can’t distribute a token while you’re establishing an on-chain governance system. Compound achieved this, but they actually started on-chain governance first. One of its first proposals was to launch the COMP rewards program.
YFI could wield tremendous power over DeFi protocols that launch liquidity mining programs.
Thread on the game theory around CRV locking mechanism [Spreek]
Steem vs Tron: The rebellion against a cryptocurrency empire [Decrypt]
Chart of the Week: Traders prefer low gas
Great chart from the Formal Verification newsletter, which shows that higher gas prices pushed traders from Kyber to Uniswap. Gas fees can be 3-4 times as expensive on Kyber for a simple swap as compared to Uniswap.
Tweet of the Week: DeFi Legal Team awakens
Two separate threads on some of the evolving regulatory issues in the space. The rise of yield farming has led to a proliferation of token launches and potentially more scams that catch the eyes of regulators. The distribution events themselves will be looked into, but there’s also the DeFi products and services themselves that could come under closer scrutiny.
Odds and Ends
Aave awarded an Electronic Money license by UK’s FCA Link
Synthetix futures primer Link
How to conduct your IDO on Mesa Link
dYdX partners with Starkware to offer Layer 2 trading Link
1inch announces token and liquidity mining initiative Link
Compound proposal to alter COMP distribution mechanics Link
Opyn launches options for YFI and WETH Link
Thoughts and Prognostications
Trust Models [Vitalik]
YieldSpace: An Automated Liquidity Provider for yTokens [Allan Niemerg/Dan Robinson/Lev Livnev]
A Framework for Token Value Flows [Jon Itzler/Bankless]
The DeFi Fee Explosion: How YAM’s Collapse Drove Ethereum Fees to New Heights [Nate Maddrey/CoinMetrics]
YAM: More Than a Game (Potentially) [Trent Elmore/YAM]
The Bull Case for IDEX [Elias Simos/Bison Trails]
The Network Flywheel Effect [Ali Yahya/A16Z]
A Review of Subjective Approaches for Sybil-resistance in Proof-of-Personhood Protocols [Democracy Earth]
That’s it! Feedback appreciated. Just hit reply. Written in Brooklyn, which is as lively as ever.
Dose of DeFi is written by Chris Powers. Opinions expressed are my own. All content is for informational purposes and is not intended as investment advice.