DeFi Digest: Bug Found in the Solana Library; MonoX and BadgerDAO Hacked

The decentralised finance (DeFi) sector continues to attract heightened attention from crypto investors. ForkLog has compiled the most important developments and news of the past weeks in a digest.

Key metrics for the DeFi sector

Against the backdrop of market correction, the total value locked (TVL) in DeFi protocols fell to $246.82 billion. Curve Finance remains the leader, with its TVL rising to $21.26 billion. MakerDAO ($18.16 billion) moved into second, Convex Finance ($15.85 billion) third.

Defi Llama includes in the final figure a basket of tokenised Bitcoins. WBTC, with $12.46 billion, ranked fifth. hBTC, with $1.94 billion, ranked 20th. The combined value of ‘Bitcoin on Ethereum’ amounted to $15.78 billion.

The TVL in Ethereum applications rose to $163.08 billion. Over the last 30 days the figure is down 11% (11 November it stood at $180.65 billion).

Trading volume on decentralised exchanges (DEX) over the past 30 days stood at $127.1 billion.

Uniswap continues to command dominance in the non-custodial exchange market — accounting for more than 78% of total turnover. The second-largest DEX by volume is SushiSwap (8.6%), the third is Curve (5.8%).

The Bank of France proposed establishing oversight of the DeFi sector

European regulators must establish oversight of the DeFi sector. The official spoke on the topic in a speech addressing the challenges for the digital euro.

The official touched on the topic in a speech addressing the challenges for the digital euro.

“Further important changes are needed. In particular, oversight of the DeFi sector, where normal regulatory frameworks are limited. Issuers and service providers are not easy to identify, protocols operate automatically without intermediaries, and there is no fixed jurisdiction for the services offered,” the official said.

Omicron token rises more than 900% after new COVID-19 variant emerges

The Omicron (OMIC) token rose more than 900% after the emergence of a new COVID-19 variant. On 26 November the WHO named it “Omicron.”

The DeFi project Omicron DAO’s token was issued on the Arbitrum One layer-2 protocol and trades on SushiSwap. According to Twitter, the asset launched on 2 November.

On 27 November OMIC traded around $65, and two days later it reached an all-time high above $689. By 11 December the price had fallen to $63.

LUNA price hits new high as Terra DeFi inflows surge

On 5 December the native token of the Terra protocol (LUNA) hit a price high above $78 (on Binance). The quotes peaked amid substantial inflows into the project’s ecosystem — TVL in DeFi apps exceeded $14 billion.

At the time of writing LUNA trades near $63. The ecosystem TVL stood at $12.86 billion.

Bug in Solana library allowed theft of up to $27 million per hour

The error in the Solana SPL protocol library could have allowed funds to be stolen from several major DeFi projects at a rate of roughly $27 million per hour, according to researchers from Neodyme.

The Tulip Protocol yield aggregator, along with the Solend and Larix lending protocols, were at risk. At the peak, the combined TVL of these projects reached $2.6 billion.

Experts noted that the bug was publicly disclosed by one of the auditors of the group, who uses the nickname Simon, back in June. On 1 December he found that the vulnerability had not been fixed. Neodyme suspects that perhaps it was considered harmless.

However, researchers found that the bug allows the theft of “hundreds of millions of dollars” via small sums quickly.

Experts contacted the Solana Foundation and eight projects affected. In some cases the suspicions proved incorrect, and Port Finance had fixed the issue months earlier. In Tulip, Solend and Larix they fixed the issue after the outreach, and the Solana team also updated the documentation.

Investments in DeFi

The Panther Protocol, a developer of a privacy-preserving DeFi protocol, raised more than $22 million in a public token sale.

The token sale ended in 90 minutes, and the total funding raised by the project reached $32 million.

The Panther Protocol solution uses the zk-SNARK technology and runs on Ethereum, Polygon, Flare, Songbird, NEAR and Elrond.

The DeFi platform Earnity raised $15 million in a Series A round. It was led by the BitNile mining company, a subsidiary of Ault Global Holdings.

The round also included the Australia-listed Thorney and the NGC Ventures fund.

Behind Earnity is Domenic Karosa, founder of Banxa Holdings and cofounder of Apollo Capital. The platform, aimed at “democratising access” to digital assets, is planned to launch in early 2022.

DeFi hacks and scams

On 30 November a hacker exfiltrated $31 million worth of crypto assets from the Polygon-based MonoX platform. The attacker used a swap contract to push the MONO price “to the moon,” and then buy up all the other assets in the pool.

On 2 December the BadgerDAO project was hacked — the damage exceeded $120 million. PeckShield experts noted that one of the affected addresses lost roughly 900 BTC (about $50 million at the time). A community member on Twitter suggested the address was linked to Celsius Network.

On 10 December the project team announced that during the attack hackers used Cloudflare Workers, a service that enables deploying scripts in Cloudflare’s cloud network.

Hackers gained access to the API, which “was used for legitimate Cloudflare-managed operations.” They then used the interface to inject malicious scripts via Cloudflare Workers into the HTML file of the app.badger.com site.

Also on ForkLog:

• DeFi 2.0: how the next-generation decentralized protocols are evolving.
• Cryptocurrency indices: how to invest in DeFi equivalents of the S&P 500.
• Yield farming: theory and practice.

Read ForkLog’s Bitcoin news in our Telegram — crypto news, prices and analytics.