Translation:

Title: Fire Fire / Plain Language Blockchain

Last week, DeFi faced a crisis, and the target of this crisis was one of the key forces in the ecosystem, Curve Finance.

Curve is a leading decentralized exchange, popular among many DeFi users for its liquidity pools, which allow depositors to earn yields from a variety of popular tokens. This includes Bitcoin, Ether, and staked Ether such as stETH and RETH, as well as stablecoins like USDC and USDT.

The popularity of Curve stems from the fact that liquidity providers can significantly increase their income through Curve's governance token CRV, in addition to earning deposit yields.

For example, the most popular pool on Curve, 3pool, consists of DAI, USDC, and USDT. The base APY in the pool is 0.85%, but by locking CRV tokens, the CRV rewards can be increased from 0.94% to 2.35%.

You can further enhance your returns through Convex Finance and earn additional rewards through its CVX token.

1. Curve Vulnerability Event

Last week, Curve announced that some of its pools had a reentrancy vulnerability, caused by an error in the old version of the Vyper compiler. This vulnerability allowed attackers to drain funds from certain Curve pools, resulting in a total withdrawal of approximately $62 million.

Like Solidity, Vyper is a smart contract development language for Ethereum. Vyper is the second most popular smart contract language after Solidity and is based on the widely used Python programming language. However, it is responsible for securing less than $3 billion in TVL in DeFi, while TVL in Solidity exceeds $66 billion.

2. Only When the Tide Goes Out Do You Discover Who's Been Swimming Naked

The Vyper error is not the only issue. Curve's founder, Michael Egorov, pledged to hold 34% of the total market value of CRV in multiple DeFi protocols.

This means that if the CRV token starts to plummet below a certain threshold, CRV collateral will start flooding the market for liquidation.

To stabilize Curve, Tron blockchain founder Justin Sun subsequently intervened to purchase CRV to help stabilize the price.

As Ryan from Bankless pointed out, the potential selling pressure of CRV is simple: leverage gone wrong.

However, people should indeed pay attention to who holds the tokens related to the DeFi protocols they are using and what these holders are doing with them.

The ultimate result is that Curve seems to have survived this time, but it does highlight the apparent problems that the DeFi ecosystem still faces.

3. Software Vulnerabilities

Developers are engaged in an endless cat-and-mouse game, with malicious hackers trying to find and exploit vulnerabilities in their code. In the past, this was limited to enterprise systems behind firewalls, which typically required social engineering or lax security practices to breach.

Public blockchains have changed this. Creating decentralized applications has created a huge cryptocurrency honeypot for attackers to focus on. When there are hundreds of millions of dollars available on public blockchain networks, why bother crossing all the barriers to exploit institutions?

Anyone who spends a lot of time as a developer or working with developers realizes how time-consuming development is. No code is perfect or complete. There are always ways to improve or optimize it.

This includes identifying vulnerabilities, which often lurk for years before being discovered. The Heartbleed OpenSSL vulnerability in 2014 is an example of this, caused by changes to the codebase in 2012.

It is estimated that when the vulnerability was detected, 17% of network security servers were affected by it. The vulnerability allowed attackers to retrieve encryption keys from servers and impersonate others accessing them.

4. Parity Check Multi-Signature

As early as 2017, we also saw the exploitation of Parity Technologies' multi-signature wallet, resulting in the loss of 153,037 Ether (equivalent to $290 million at today's prices) due to a vulnerability in the library dependencies.

In the years since, there have been countless further exploits.

It is simply impossible to eliminate errors in code. Even with the use of artificial intelligence, because the underlying large language models (LLMs) are trained on code created by fallible humans.

Can we reach a point where DeFi truly fulfills its potential?

I do see areas where I am confident in the ecosystem, such as Circle's USDC. However, they control the issuance of the token and operate in a very transparent manner, including providing audit reports for their reserves.

There are also foundational network protocols themselves, such as Ethereum. While I don't believe there will be any event that could threaten Ethereum's solvency or the overall security of the Ethereum network, as the DAO hack event proved, there are ways to recover from significant events (although there are few in the Ethereum community who would support this level of intervention again).

5. Stacking DeFi Apps

I think the issue lies in the ability to stack applications on top of applications and create complex positions across multiple DeFi applications.

This is where someone deposits tokens into Curve, deposits CRV into Convex to increase yield, and potentially further locks their CVX tokens. Curve may be one of the pillars of DeFi. However, with each additional use of a DeFi protocol, users face significantly increased risks.

In each DeFi protocol, there are only a few developers who truly understand how their smart contracts work. When you combine multiple protocols, this number becomes even smaller.

This means very few users know how secure their funds really are and are simply chasing advertised yields.

Teams have taken some measures, such as hiring auditors to help verify their contract source code. But will these auditors re-engage with every change? Are these auditors continuously monitoring updates or vulnerabilities in all dependencies? Even so, some vulnerabilities will still slip through.

6. Protecting Mainstream Users

I believe that to make DeFi applications mainstream, we need to provide better protection for users. This may come in the form of institutions with enough capital to benefit users in the event of a breach. Or simply providing insurance for them.

Perhaps centralized exchanges will ultimately become gateways used by many? It will be very interesting to see how Coinbase's Base network develops in this regard, as they will have the ability to provide support within the network.

In recent years, the value locked in the DeFi ecosystem has been incredibly high. However, from a personal perspective, I am still hesitant to invest any meaningful funds into DeFi protocols unless I can monitor what they are doing around the clock.

I have less concern about stablecoins like USDC and ETH, as their operations are more transparent and do not require mining smart contract code.

If there is no breakthrough in how to protect user funds, I do believe that many DeFi protocols will remain niche applications for those who truly understand what they are doing. Especially now, when you can deposit funds in regular banks with yields of 4-5% and government guarantees.

I remain as supportive as ever of blockchain and web3. But certain parts of DeFi still feel like a high-stakes poker game, and I am not a gambler.

What are your thoughts on the Curve vulnerability? Does it make you cautious about investing funds in DeFi protocols? What measures need to be taken to reduce risks for DeFi applications to become mainstream?

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。