Although Curve Finance’s recent near-death experience (and its averted propagation) may appear to be a distant memory in Web3, it’s actually a common occurrence in the sector. It’s not the first time a decentralised finance protocol, or for that matter, any decentralised programme, has been subject to an attack that is entirely legitimate within its own code. More importantly, the crisis might have been avoided if there had been on-chain risk management.
All of this implies a bigger issue with Web3. This is the issue with its development environments’ restricted expressivity and resources, and how it affects security as a whole.
Numerous media outlets and analysts referred to the incident as a “hack” when the Curve Finance attacker was successful in removing US$61.7 million in assets from Curve Finance’s smart contracts. But this was an exploit, not a hack. Here, the distinction is crucial.
In this case, a hack would have happened if the attacker had managed to get around or crack a security system already in place. However, Curve was the target of an exploit. Nothing happened that was unusual in comparison to what the protocol’s Vyper code permitted. The looter merely exploited the protocol’s functionality.
Who is responsible for this? No one. The capacity of Curve’s Vyper code to convey complexity beyond relatively simple transaction logic is severely constrained, much like the majority of the (Solidity) code used in Web3 applications.
Anyone trying to create security measures to thwart this or other assaults will find it challenging due to this. What’s more worrisome is that it also makes it challenging to effectively create mechanisms to stop their proliferation over the huge and composable liquidity landscape of DeFi.
However, this does not imply that Curve was powerless to stop the attack and its propagation throughout DeFi. On-chain risk analysis is a straightforward illustration of a solution.
In a hypothetical circumstance like this one, the generalised version of a troublesome pattern that could be solved is as follows:
Risk analysis solutions that ascertain how good of a promise an asset can be have historically been used to solve this issue. Before authorising the loan, Naive Finance may verify statistical projections based on the token’s past price if they were present on-chain. The protocol would have detected the pump and prevented Bob from receiving the $100 million.
This kind of on-chain risk analysis and management is lacking in DeFi.
Returning to Curve Finance, if Aave and Frax had an automated, on-chain limit on loan approvals when they pass a proportion of the collateral token’s circulating quantity, a spread would have been avoided. Everyone would have been safer and under less stress in this scenario.
The main issue here is that current Web3 ecosystems are unable to support an on-chain risk analysis solution of this kind. The types of libraries and frameworks offered by virtual machines like the Ethereum Virtual Machine place restrictions on them. They have a finite amount of resources at their disposal as well.
A decentralised app would need to rely on coding libraries that provide functions for at least fundamental mathematical concepts like logarithms and others in order to construct something like this risk analysis and management solution.
This is not the case with Web3 since dApps lack access to Python’s NumPy math library, for instance. Instead than using the standard toolkit, developers must invent it from scratch.
Then there is the additional issue. Even if they possessed these libraries, the cost of coding them would be prohibitive. genuinely pricey. Every computation on the Ethereum Virtual Machine has a cost because of the way it is built.
Although there are good reasons for this, including limiting infinite loops and other things, it also limits the amount of resources that dApps can use if they want to scale computationally without paying exorbitant prices. A risk management solution could easily end up costing more to maintain than it is able to save in money.
On-chain risk management could have stopped the Curve Finance impasse from spreading locally. With better resources and expressivity in Web3, this entire class of attacks might be mostly avoided.
Because they go beyond providing dApps with more shared block space, these two components of blockchain scalability have long been ignored. In reality, they include constructing Web3 development environments that resemble Web2 environments. They go beyond simply increasing the quantity of data that is available on-chain and instead focus on computational scalability and programmability.
Perhaps these and future attacks might be completely avoided if protocol developers at Curve, Aave, or Frax had access to a better toolkit and more resources. Perhaps we could begin.