Curve Finance’s latest near-death expertise (and its averted propagation) could appear to be a blur in Web3’s rear-view mirror, however it’s truly one thing that retains taking place within the trade. It’s not the primary time {that a} decentralized finance protocol — or any decentralized app for that matter — has been affected by an assault that’s completely authorized inside its personal code. Extra so, the disaster may’ve been prevented if on-chain danger administration existed.
All of this factors to a broader drawback in Web3. That’s the drawback of restricted expressivity and sources that exist in its growth environments and the way it impacts safety general.
Hack or exploit?
When the Curve Finance attacker was capable of retrieve US$61.7 million in property from Curve Finance’s sensible contracts, many media shops and commentators referred to as the occasion a “hack.” However this was not a hack — it was an exploit. The distinction right here is essential.
On this context, a hack would’ve taken place if the attacker had one way or the other bypassed or damaged an present safety measure. However the assault on Curve was an exploit. Nothing that occurred that was out of the extraordinary when it comes to what the protocol’s Vyper code allowed for. The looter merely took benefit of how the protocol’s design labored.
Who’s responsible for this? Nobody. Curve’s Vyper code, like a lot of the (Solidity) code that’s utilized in Web3 functions, is severely restricted in its means to precise complexity past comparatively easy transaction logic.
This makes it arduous for anybody to design safety measures that might forestall this or another assaults. Extra worryingly, it additionally makes it arduous for anybody to correctly design instruments to stop their unfold throughout DeFi’s huge and composable liquidity panorama.
On-chain danger evaluation
But it surely doesn’t imply there was nothing Curve may do to stop this assault and its unfold throughout DeFi. A easy instance of an answer could be on-chain danger evaluation.
The generalized model of a problematic sample that might be solved might be summarized in a hypothetical state of affairs like this one:
Unhealthy actor Bob buys $5 million value of the extremely risky $RISKY token through a flashloan.The worth of $RISKY token is successfully pumped by Bob after the acquisition. Bob takes out a $100 million mortgage on Naive Finance backed by $RISKY.Naive Finance checks the value of $RISKY and confirms that Bob is “good” for the cash.Bob runs.When Naive Finance liquidates $RISKY it’s only value $5 million.
(One other instance of this basic sample might be discovered within the Euler hack from March.)
Historically, this drawback is solved by danger evaluation options that decide how good of a assure an asset might be. In the event that they existed on-chain, Naive Finance may examine statistical estimations based mostly on the token’s historic worth earlier than approving the mortgage. The protocol would’ve seen by means of the pump and denied Bob the $100 million.
DeFi is missing this sort of on-chain danger evaluation and administration.
Going again to Curve Finance, a diffusion may’ve been prevented if Aave and Frax had an automatic, on-chain restrict on mortgage approvals after they cross a share of the collateral token’s circulating provide. This is able to’ve been a safer and fewer stress-inducing state of affairs for everyone.
Restricted expressivity and sources
The actual drawback right here is that present Web3 ecosystems can’t assist one thing like this on-chain danger evaluation resolution. They’re restricted by the type of libraries and frameworks which are out there in digital machines just like the Ethereum Digital Machine. They’re additionally restricted when it comes to the sources at their disposal.
With the intention to develop one thing like this danger evaluation and administration resolution, a decentralized app would wish to rely on coding libraries which have capabilities for a minimum of primary mathematical ideas like logarithms and others.
This isn’t the case in Web3 as a result of dApps don’t have entry to NumPy, the maths module in Python, for instance. The everyday toolbox isn’t there and builders should reinvent the wheel as a substitute.
Then now we have one other drawback. Even when they’d these libraries, they’d be too costly to code. Actually costly. The Ethereum Digital Machine is designed in order that there’s a worth for each computation.
Whereas there are legitimate causes for this, reminiscent of stopping infinite loops and such, it additionally creates a useful resource limitation for dApps that may must scale computationally with out incurring unreasonable prices. One may simply see how a danger administration resolution would price extra to run than what it’s capable of save in funds.
Specializing in the fitting issues
At a localized stage, the unfold of the Curve Finance deadlock may’ve been prevented with on-chain danger administration. At a basic stage, this complete class of assaults might be prevented with extra expressivity and sources in Web3.
These are two elements of blockchain scalability which have lengthy been ignored as a result of they transcend affording extra shared block area for dApps. They really contain the creation of growth environments in Web3 that emulate these of Web2. They’re about computational scalability and programmability, not simply scaling the quantity of knowledge that’s out there on-chain.
Maybe if protocol builders at Curve, Aave or Frax had the power to rely on a greater toolbox and extra sources, these and future exploits might be averted altogether. Possibly we may begin with on-chain danger administration.