DeFi Bulletin: TVL climbs to $60bn, and the Fed flags threats to the DeFi sector

The decentralised finance (DeFi) sector continues to attract heightened attention from cryptocurrency investors. ForkLog has compiled the most important events and news of the recent weeks into a digest.

Key DeFi metrics

TVL in DeFi protocols rose to $60 billion. MakerDAO led with $8.51 billion, while Lido ($7.63 billion) and AAVE ($6.58 billion) held second and third place respectively.

TVL in Ethereum applications rose to $35.17 billion. Over the last 30 days the figure declined by 6% (on August 10 the value stood at $37.29 billion).

Trading volume on decentralized exchanges (DEX) over the last 30 days stood at $53.1 billion.

Uniswap continues to dominate the non-custodial exchange market — it accounts for 63.9% of total turnover. The second DEX by volume is Curve (13.1%), the third is DODO (8.2%).

The Fed identifies the DeFi sector as a potential threat to financial stability

With the growth of the cryptocurrency market’s capitalization, the DeFi sector could pose long-term risks to financial stability. This, stated by analysts from the Federal Reserve System’s research group (the Fed).

According to analysts, the threat is linked to the lack of clear regulatory rules for decentralized applications. In the published study they noted that the sector has not yet become “systemically important,” but government agencies should devote more attention to it.

“The rapid growth in the role of blockchains suggests that directive authorities must begin serious consideration of the full range of financial stability issues that could arise if such activity becomes systemically important,” the document states.

The Fed stresses that regulators do not have the tools necessary to enforce laws and regulations in DeFi. In the analysts’ view, players in the sector will “use any and all advantageous opportunities, regardless of supervisory concerns.”

The Fed also published a separate study on the impact of digital assets on financial stability. Analysts noted the need for tighter oversight of crypto firms that hold client funds.

“Oversight, comprehensive disclosure, and, where necessary, capital and liquidity requirements can enhance the resilience of digital asset ecosystem entities. For example, centralized entities acting as counterparties for retail users typically do not face capital, liquidity, or comprehensive disclosure requirements,” the report says.

Analysts say the crypto industry “tends to accumulate financial vulnerabilities.” At the same time, the Fed called the risks to economic stability “insignificant” due to the limited interconnection of digital assets with the traditional market.

“If the digital financial system becomes more interconnected with the traditional one or expands the scope of financial services, these risks could quickly become material,” they added.

FBI identifies common attack vectors in the DeFi space

The FBI issued a warning about the most frequently encountered vulnerabilities used by cybercriminals to attack DeFi platforms.

According to Chainalysis, from January to March 2022 criminals stole $1.3 billion in cryptocurrency. Of that, nearly 97% was stolen from DeFi platforms.

The FBI highlighted three common tactics for attacking this segment of the crypto market:

• initiating a flash-loan attack (the attack on the DeFi platform bZx was conducted this way in November 2021, causing $55 million in losses);
• exploiting a vulnerability in cross-chain bridges (Nomad hack in early August, more than $90 million stolen);
• price manipulation by exploiting a set of vulnerabilities, including a single-price oracle exploit (Deus Finance exploit in April 2022, $13.4 million stolen).

“Cybercriminals seek to take advantage of heightened investor interest in cryptocurrencies, as well as the complexity of inter-network functionality and the open-source nature of DeFi platforms,” the agency officials added.

Blockchain security firms note that the most dangerous vulnerabilities relate to compromising smart contracts.

“The code of smart contracts cannot usually be changed to fix security flaws. Assets stolen from smart contracts cannot be recovered and are extremely difficult to trace,” said the Ethereum Foundation.

For its part, the FBI recommends carefully examining DeFi platforms, protocols, and smart contracts for independent audits, and assessing investment risks in this sector.

MakerDAO co-founder calls for detaching DAI from the dollar

The freely floating DAI is the only path to decentralisation and regulatory compliance, says MakerDAO co-founder Rune Christensen.

He noted that after September 11, 2001, financial regulation tilted toward zero tolerance for tools authorities cannot control. Recent events such as Terra, Celsius collapses and others have undermined trust in digital currencies and DeFi, Christensen added.

“Physical crackdowns on the crypto industry can occur without notice and without the possibility of redress even for law-abiding, innocent users,” he believes.

According to him, this undermines the core assumptions behind risk-weighted assets (RWA) for backing the DAI stablecoin, and makes the “authoritarian threat” very serious.

Maker cannot blacklist, so the platform cannot comply with compliance, Christensen argues.

“The only option is to limit the attack surface, reducing the exposure of RWA to a maximum fixed percentage of total collateral. To do this, you need free-floating away from USD,” concludes the MakerDAO founder.

In Christensen’s view, two tools could help ensure this: MetaDAO and Protocol Owned Vault.

DAI yield farming via MetaDAO will allow users to adopt a floating-to-dollar exchange rate for the coin. The reward tokens will incentivise the supply of DAI through decentralized collateralisation, Christensen believes.

The Protocol Owned Vault storage will enable the protocol to earn revenue from negative target rates for DAI and set their cap.

As of writing, 51% of Maker’s DAI supply is issued with USDC collateral. The total value of funds locked on the platform stands at $9.26 billion.

DeFi project OptiFi suffers a $661,000 loss in a failed upgrade

The Solana-based DeFi protocol OptiFi unexpectedly shut down its mainnet, locking user funds in USDC worth $661,000.

Developers said the error occurred during the protocol update. The process took longer than expected, likely due to Solana congestion.

As a result, they halted the deployment, but later created an intermediate intermediary account. In an attempt to delete the buffer account, the developers used the solana program close command.

“Here we found that we did not fully understand the impact and risk of this command. The Solana program close is really intended for the final closure of a program and the return of SOL from the buffer account used by the program to the recipient’s wallet,” the OptiFi team explained.

The developers assured they would compensate all funds to users.

They also said they learned lessons and, among other things, intend to:

• conduct updates with at least three participating nodes;
• separate liquidity pools in AMMs from the main program to minimise the consequences of such mistakes.

Richard Pattle, a Jump Crypto Solana client Firedancer developer, proposed a fix that could help prevent similar incidents in the future and, presumably, return the blocked OptiFi funds.

Investments in DeFi

The decentralised lending platform Credix closed a Series A financing round of $11.25 million. It was led by Early Stage Motive Partners and ParaFi Capital.

Funding also provided by Valor Capital Group, Abra, MGG Bayhawk Fund, Victory Park Capital, Circle Ventures and other investors.

The raised funds will be used to scale operations in Latin America.

Hacks and scams

DeFi platform Nereus Finance on Avalanche came under arbitrage attack using a flash loan of 51 million USDC. The hacker earned approximately 370,000 USDC, according to CertiK.

Using the borrowed funds, the attacker manipulated AVAX prices on Nereus. After completing arbitrage trades and returning the loan, about 370,000 USDC remained at the attacker’s address.

Then the attacker moved funds from Avalanche to Ethereum. At the corresponding address on the second-largest network, he had 194 ETH (~$310,000) and 15,850 DAI.

Most of the ether, in four transactions of 45 ETH each, was sent to addresses belonging to FixedFloat, a platform for exchanging digital assets. At the time of writing, the attacker’s Ethereum wallet held 12.7 ETH and all 15,850 DAI.

Hackers breached the external interface of non-custodial KyberSwap, the DeFi project Kyber Network. Users suffered losses of 265,000 USDC.

On September 1 the KyberSwap developers detected suspicious activity at the frontend level. Closing the interface for investigation, they uncovered malicious code in the Google Tag Manager (GTM) tool.

The exploit injected a false approval for transactions, allowing hackers to drain user funds to their addresses.

The team relaunched the interface in under two hours, removing the malicious code from GTM.

The attack affected two addresses. The developers asserted affected users would receive full compensation. They believe the attackers targeted whales.

The KyberSwap team identified the attackers’ addresses on the Ethereum and Polygon networks, and contacted various exchanges to track and block movements of stolen assets.

According to PeckShield, the initial funds for the attack were withdrawn from the centralized BitMart platform.

KyberSwap invited the hackers to contact them and return the stolen funds in exchange for a reward of 15% of the amount.

Binance CEO Changpeng Zhao said the security team at the bitcoin exchange identified two suspects in the hack and passed the information to KyberSwap colleagues. The company is now coordinating its actions with law enforcement.

On September 6 the Kyber Network developers said they had resolved the attack vector on DEX KyberSwap and compensated losses of 265,000 USDC.

Also on ForkLog:

• 1inch Network will distribute 300,000 Optimism tokens.
• The Aave community backed the suspension of borrowing on Ethereum ahead of The Merge.
• Compound temporarily frozen cETH operations due to a bug in the protocol update.
• The DeFi protocol Sushi will integrate the Boba Network.

Follow ForkLog’s Bitcoin news on our Telegram — news on cryptocurrencies, rates and analytics.