DeFi Bulletin: TVL tops $50 billion, Yearn Finance loses $1.4 million

The decentralised finance (DeFi) sector continues to attract heightened attention from crypto investors. ForkLog has compiled the key developments and news from recent weeks in this digest.

Key DeFi sector metrics

The value of total value locked (TVL) in DeFi protocols rose to $51.5 billion. Led by Lido with $20.7 billion, the second and third spots are held by Maker ($8.4 billion) and JustLend ($6.5 billion), respectively.

TVL in Ethereum applications вырос to $28.4 billion. Trading volume on decentralised exchanges (DEX) over the last 30 days составил $77.1 billion.

Uniswap continues to dominate the non-custodial exchange market — it accounts for 55.7% of total turnover. The second DEX by volume is PancakeSwap (15.1%), the third is Trader Joe (8%).

OKX DEX suffered an exploit worth $2.76 million in what PeckShield analysts described as damage stemming from an alleged leak of the proxy-server administrator private key.

According to SlowMist, during a swap on the platform users authorize a TokenApprove contract, which then transfers the user’s tokens.

The ClaimTokens function enables a trusted DEX proxy server to call it. The servers are run by administrators who can modify the smart contract at will.

On December 12, the owner of one of the servers updated it, allowing direct invocation of ClaimTokens to transfer users’ tokens. The attacker exploited this vulnerability.

Yearn Finance loses $1.4 million due to a transaction error

As a result of an ‘erroneous scenario’ multisig-transaction, DeFi protocol Yearn Finance lost 63% of treasury funds in the yCRV LP pool.

The incident occurred during the ‘routine process of converting fee tokens’ and led to the exchange of 3,794,894 yCRV for 779,958 yvDAI. The team clarified that losses amounted to $1.4 million.

The yCRV liquid-staking token presents Curve CRV in the protocol’s pool. The project allocates funds within the structure to maintain liquidity and earn revenue from fees.

However, due to a glitch in the exchange script for the DEX CoW Swap, all treasury funds were sent to a single one of the protocol’s largest pools. The trade caused significant price slippage, which ‘arbitrageurs and other market participants’ exploited.

Developers explained that the erroneous transfer of the entire Yearn Finance balance in the pool was one of 30 orders executed via multisig transaction. This hindered manual oversight, and the swap script ‘lacked sufficient withdrawal checks and contained a logic error’ in capping the swap size.

To prevent similar incidents, Yearn Finance adopted a series of safeguards, including:

• split treasury funds in the pool into contracts managed by separate administrators;
• introduction of more readable output messages in trading scripts;
• tightening price-impact thresholds.

DeFi project SafeMoon files for bankruptcy

On December 14, SafeMoon’s attorney Mark Rose filed for bankruptcy for the DeFi project. The SFM token reacted with a sharp drop.

Chapter 7 bankruptcy filings have been submitted to the United States District Court for the District of Utah. SafeMoon US LLC valued its assets at between $10 million and $50 million, while liabilities were between $100,001 and $500,000.

In the wake of the news, the SFM token collapsed to around $0.000055. Over the past week the coin has fallen 22.4%, according to CoinGecko.

Nirvana Finance hacker agrees to return $12.3 million

The hacker responsible for the Nirvana Finance yield-farming protocol breach and an unnamed DEX pleaded guilty and agreed to forfeit stolen assets worth $12.3 million.

According to the U.S. Attorney’s Office, in the summer of 2022, 34-year-old senior security engineer Shaki Ahmed exploited a vulnerability in the smart contract of an unnamed exchange.

A few weeks later he attacked Nirvana Finance using an instant loan and withdrew $3.49 million in crypto from the project’s treasury. Although protocol developers offered the hacker a bounty, the parties did not reach an agreement. The stolen funds were swapped for Monero and laundered through Samourai Whirlpool mixer.

In July Ahmed was charged with wire fraud and money laundering. In addition to forfeiture of the stolen cryptocurrency, he was ordered to pay $5 million in restitution to victims.

The final sentence will be handed down on March 13, 2024. Ahmed faces up to five years in prison.

Also on ForkLog:

• Coinbase first listed a token from the Base network.
• Uniswap DEX launched on the Bitcoin-sidechain Rootstock.
• The court ceased criminal proceedings against the Platypus Finance hacker.