Total Volume + Fees
Welcome back LPs and Happy Thanksgivingπ¦! The past 7β£ days were once again some of the most overwhelming in the LP and Defi space. From a "3/5 multi-sig" L2 yield platform (Blastπ₯) accumulating > $300 Million in TVL to one the most notorious attacks on an AMM (KyberSwap), it's clear that the Defi realm is still rife with risk. However, progress and innovation continues as well!
On the docket π« this week:
KyberSwap loses $50 Million to a napping exploiter
SUClave V4 Hook battling LVR with auctions
$UNI price goes β¬ by >20%
$UNI to the π
Uniswap's(UNI) price has surged 21.92% over the last 7 days reaching $6.30 (tho still very far from it's all time high of $45), as well has made WETH/UNI one of the top performing pools with $141,804.82 in fees generated in the past 7 days!
There could be a multitude of reasons for this surge, but recently Uniswap announced a proposal that seeks to give some delegates tokens worth $60 million. This proposal is now up for on-chain voting, and was hailed as a good decision for on-chain governance.
KyberSwap $50 Million hack
On the 23rd of November, KyberSwap was drained by this address:
0x50275E0B7261559cE1644014d4b78D4AA63BE836
Focusing on the Ethereum ETH/wstETH pool, the attacker utilized a flash loan to manipulate the pool's liquidity. Starting with a significant loan of wstETH, the attacker executed a series of swaps to manipulate the pool's price. This involved first injecting and then withdrawing liquidity in a calculated manner to create a "fresh canvas" on the liquidity curve.
By careful control of swap quantities, the attacker tricked the pool into thinking it had more liquidity than it actually did. This manipulation was achieved through a subtle flaw in Kyber's swap step calculation. The swap step check failed by an infinitesimal margin("The check failed by <0.00000000001%"), a testament to the precision engineering of the exploit. This failure led to the "infinite money glitch". For a more in-depth report, see @0xdoug's analysis.
This is easily the most complex and carefully engineered smart contract exploit I've ever seen...
2,667
An individual approached the hacker to discuss fund recovery terms. Intriguingly, the hacker agreed to negotiate, but only after...they take a nap.
Why should LPs care about this
Automated Market Makers are nothing without their LPs π.
Oversights in smart contract audits has to be the most foolish reasons to have people loose faith in your DEX.
KyberSwap's Total Value Locked (TVL) has plummeted to approximately $8 million, a staggering tenfold decrease from its pre-hack levels. This drastic reduction has left the Automated Market Maker industry in tatters.
What is really concerning about this hack is that this was a variant of an already discovered hack. @atiselsts.eth pointed out that this was an oversight by the KyberSwap team.
There was a smoking gun β the initial double-counting bug report. After the report, Kyber could have:
1) Done extensive fuzz-testing
2) Tried to do some level of formal verification
3) Paid for a re-audit of the core
Did they?
this might be the most bearish tweet re: DeFi that I've ever seen
no matter how much you prepare β there are attackers with infinite time and patience trying to rob you
However, effectively countering attackers and preventing exploits is a formidable challenge given the nature of Defi and AMMs. Hayden Adams, Uniswap's founder, underscored their rigorous contract testing, yet admitted to lingering concerns about potential oversights.
One of the victims of the KyberSwap stated that they lost 63% of their net worth to this attack. This is why LPs should aim to invest in multiple AMMs as to reduce their risk.
Our key lesson: Diversify! Explore numerous Layer 2 and other low-fee chains to avoid the steep gas costs associated with creating positions. You can provide liquidity for the same asset pair across chains and DEXs. Don't be the guy who looses all their portfolio to a single hack!
LVR Hook-SUClave
Recently @doganeth_en introduced a new AMM design building upon V4 hooks that aim to mitigate the LVR problem and make AMMs smarter by taking the profits that bots siphon off and redirecting them to LPs.
This is a clever principle of beating the fast-moving MEV bots to the trade. MEV bots capitalize on the potential profits that Liquidity Providers (LPs) miss out on by quickly trading during price spikes.
SUClave is a V4 Hook that uses SUAVE. SUClave hook is deployed to interact with the Uniswap Pool Manager.
SUAVE introduces a unique auction system where developers can freely place bids for transactions. Each bid comes with a special 'signature' from SUAVE, acting as proof that the bid is legitimate and comes from their auction. This makes it easier to confirm and accept these bids on the Ethereum network.
The auction serves to democratize access to transaction execution, making it a competitive process rather than one dominated by bots. It also creates a new revenue stream for LPs, who now benefit from the auction proceeds.
SUClave V4 Hook is designed to only accept transactions that are verified as coming from a SUAVE auction. The main allure for the bidder is gaining priority for the transactions. By winning the auction, they get a chance to capitalize on profitable transaction sequences before others.
The highest bidder wins the right to execute their transaction. The bid amount, essentially the price paid for transaction priority, is then distributed to the LPs.
As the creator of SUClave Hook, Dogan says, it will not completely eliminate MEV bots but instead their goal with the hook was to "explore options for a "benign" form of MEV".
The proposition paints a captivating picture; that as LPs become more profitable, this could attract more LPs to the market. And this in turn reduces the cost and slippage-> less fees and smoother trading!
Top Pools of the Week
High-Risk
BYTES/ETH in the exotic pairs category for the ones feeling adventurous.
Low-Risk
wNXM/ETH for the balanced swimmers.
Safe
USDC/ETH in the 5bps category for the cautious paddlers.
This was another thrilling week to be an LP! Let us know what you think was the most interesting thing you happened upon in reply to this email and we might send you π emoji back.
Until next week, take care π !