DeFi Bulletin: Curve launches crvUSD stablecoin, and 0VIX hacked for $2 million

The decentralized finance (DeFi) sector continues to attract heightened attention from cryptocurrency investors. ForkLog has assembled the most significant events and news from recent weeks in this digest.

Key metrics of the DeFi segment

TVL rose to $49.15 billion. Lido led with $12.19 billion, while MakerDAO ($7.36 billion) and AAVE ($5.4 billion) occupy second and third places, respectively.

TVL in Ethereum apps fell to $28.71 billion. The trading volume on decentralised exchanges (DEX) over the last 30 days amounted to $70.1 billion.

Uniswap continues to dominate the non-custodial exchange market — accounting for 60.6% of total trading volume. The second DEX by trading volume is PancakeSwap (17.9%), the third is SushiSwap (9.4%).

Uniswap unveils solutions to reduce protocol costs

The Uniswap team created new Permit2 approval mechanism, which enables smart contracts to move tokens on behalf of users.

Developers say there are situations where multiple transfers are required, and therefore gas fees, which lead to user dissatisfaction and potential security risks.

Permit2 allows network participants to set their own permissions and approve token transfers with a single signature, while also significantly reducing fees.

Uniswap created the so-called NFT universal router for token swaps and NFTs.

“Routers are optimised for finding the lowest prices and executing trades with the lowest gas costs. […] With the new smart contract, users will be able to perform multiple swaps on Uniswap V2 and V3 and purchase NFTs on various marketplaces in a single transaction,” the platform’s blog says.

Both technologies are interconnected. Thus the user passes the Permit2 authorization directly to the router, requiring no additional computations.

Curve Finance launches crvUSD stablecoin on the Ethereum mainnet

The Curve Finance team deployed on the Ethereum mainnet the smart contracts of the decentralised stablecoin crvUSD.

The US dollar-pegged stablecoin will use an over-collateralised model like DAI from MakerDAO.

The stablecoin is built on an algorithmic Lending-Liquidating AMM that continually liquidates and automatically deposits collateral to manage risk and maintain parity with the US dollar.

DeFi protocol 0VIX hacked for $2 million

An attacker withdrew more than $2 million in digital assets from the 0VIX DeFi protocol, presumably as a result of an attack using flash-loan.

According to on-chain data, the hacker’s haul included:

• approximately 1.45 million USDC;
• approximately 0.58 million USDT;
• approximately 9,566 Aavegotchi (GHST) tokens.

An unknown actor transferred assets from the Polygon network to Ethereum via the cross-chain bridge Stargate Finance and converted them to ETH.

The 0VIX team confirmed the incident without providing details and paused markets on Polygon and zkEVM. The latter were not affected by the attack, and the measures were precautionary.

Developers say the attack vector is linked to GHST.

“The primary cause of the exploit was a vulnerable GHST oracle, which allowed the attacker to manipulate the price,” Hacken experts confirmed.

DEX Merlin on zkSync Era hacked for $1.82 million

The zkSync Era-based decentralised exchange Merlin lost approximately $1.82 million in assets following what is believed to be an exploit, soon after CertiK’s audit.

The exchange’s developers said they were investigating a possible breach and advised users to revoke approvals for all smart contracts.

The incident occurred right after the platform’s main yield-farming pools went live. On 24 April CertiK completed a second safety audit of Merlin’s codebase.

CertiK specialists said preliminary investigations indicated a potential issue with private-key management as the primary cause of the unauthorized withdrawal, not an exploit.

The DEX eZKalibur team reportedly identified malicious code in Merlin’s software that allowed the theft of assets. The exchanges use smart-contract code similar to that of another decentralised platform on the zkSync Era network — Camelot.

Unlike rivals, Merlin’s contract-implementation includes two lines that enable unlimited withdrawals to its own address.

Also on ForkLog:

• DeFi protocol Thetanuts attracted $17 million.
• Asymetrix will distribute $3.4 million among early users.