Aave governance delegate Marc Zeller has aired concerns over the future of the decentralized finance (DeFi) lending platform on Polygon in the wake of a controversial proposal to use funds locked in the network’s bridge to earn yield elsewhere.

Aave is the largest protocol on Polygon, accounting for over a third of the chain’s total value locked (TVL) at $467 million, according to data from DeFiLlama.

Read more: Advisors leave Aave as protocol punishes competitors

The proposal to create a “Polygon PoS Bridge Liquidity Program” is currently in pre-PIP status and, in the four days since publication, has generated discussion between concerned and yield-hungry users alike.

While some point to the potential boon to the ecosystem of the program’s profits being “strategically deployed… to incentivize liquidity and stimulate project growth,” others raised security worries.

Many users pointed out that stablecoin holders are especially risk-averse and adding layers of risk onto a “stable” product is precisely the opposite of why users hold these assets. 

The $1.3 billion worth of idle stablecoins would be bridged for use on Ethereum via Aave competitor Morpho, with vaults being “curated” by the proposal authors AllezLabs. A “conservative” yield of 7% would be targeted, potentially earning over $90 million per year.

The resulting lending interest would then be funneled back to Yearn on Polygon, where it would be distributed among yield farming vaults to incentivize activity on the chain.

In Zeller’s own discussion thread on Aave’s governance forum, he cites examples of bridge hacks such as Ronin, BNB Bridge, Wormhole, and Multichain as making up many of the largest losses in DeFi over recent years. He proposes to “set loan-to-value (LTV) for all assets on Aave V2 and V3 Polygon to 0%,” essentially disabling new borrowing, as well as incentivizing the migration of already-deposited assets to other networks.

Read more: Explained: How $600M was stolen from Binance’s BNB chain

However, the fact that the proposal would see funds funneled to Morpho likely also doesn’t sit well. Aave and Morpho haven’t been on the best of terms since risk manager Gauntlet jumped ship from the former to the latter.

Tensions flared again when Zeller accused Gauntlet and Morpho of not doing enough to protect users in the wake of a depeg of restaking token ezETH in April.

Read more: Depeg of $3B restaking token ezETH causes over $60M in DeFi liquidations

Meanwhile, Aave has been riding the wave of the recent DeFi renaissance, breaking its all-time high of $38 billion worth of net deposits. Even a President-elect Donald Trump-linked address has been buying the AAVE governance token ahead of the planned launch of World Liberty Financial (also Trump-linked, despite a lengthy disclaimer) as an Aave instance on Ethereum.

Perhaps Polygon needs Aave more than Aave needs Polygon.

A Polygon Labs spokesperson told Protos: “The Polygon community has only put forth a pre-PIP (preliminary proposal) at this stage, and the topic is still in the very early phases of discussion. The Polygon community, which includes dApp builders across protocols, values open dialogue and collaboration as integral parts of the governance process. Getting feedback from all stakeholders is essential, and we encourage continued conversation to ensure these proposals are fully discussed and evaluated. Polygon Labs is supportive of the community continuing to prioritize the security of the ecosystem”

UPDATE 16/12/2024 20:33 UTC : Included a quote from Polygon Labs spokesperson.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Aave could leave Polygon over plan to use bridge funds for yield farming appeared first on Protos.

Yesterday, two hacks on decentralized finance (DeFi) protocols netted a total of over $5 million, with a further $5 million siphoned off from compromised wallets on Wednesday.

While the founders of two OG protocols, Aave and Maker (now Sky), bro’d down over Starcraft while basking in a “DeFi renaissance moment,” some of the sector’s less well-established projects were going down in history for the wrong reasons.

Repeat DeFi hack or a new bug?

First up was Onyx Protocol whose $3.8 million loss was first thought to be a repeat of the well-known bug that drained $2.1 million from the project toward the back end of last year.

Read more: Compound DAO asleep at the wheel as $25M governance ‘attack’ passes

Onyx is a fork of Compound Finance, which contains an infamous vulnerability in which freshly-launched, empty lending markets are briefly left open to a price manipulation attack, if not handled correctly.

Given the popularity of Compound’s v2 codebase with fast-forking DeFi devs, the bug is exploited with alarming regularity across the sector, and was initially identified as having been the cause of Onyx’s latest loss.

However, as the team pointed out in a ‘post-mortem’ thread on X (formerly Twitter), this time the vulnerability also lay in the platform’s ‘NFT Liquidation contract.’ The attacker was able to drain the vUSD stablecoin which was then sold off, causing it to depeg.

Something’s not adding up

Next came ‘bitcoin restaking’ protocol Bedrock which appeared to be overly bullish on ETH, costing it around $2 million.

Read more: ‘Cryptographic performance art’ drains contract one block after launch 

The faulty code allowed users to mint Bedrock’s uniBTC token at a 1:1 ratio with staked ETH tokens, not taking into account the price difference between the two assets (valued at the time at approximately $65,000 vs $2,650, respectively).

The uniBTC tokens were then sold off for an alternative wrapped bitcoin token, for a return of almost 25x.

Crypto security auditor Dedaub claims to have identified the vulnerability in advance, stating that such a simple bug could be discovered and exploited automatically by ‘fuzzing bots.’

Despite warning the Bedrock team two hours before the attack, there was no response due time zone differences. However, by raising the issue separately with Pendle, a platform with $30 million of exposure to uniBTC, further losses were successfully averted.

The Bedrock team responded to the incident, reassuring users that all uniBTC collateral remains intact. It estimated the losses at “approximately $2 million (mostly in DEX LPs),” adding that a “comprehensive reimbursement plan is being finalized.”

Compromised keys?

On Wednesday, real-world-asset-focused Truflation warned of “some abnormal activity,” which it attributed to a malware attack.

Read more: Chelsea FC sponsor BingX tried to hide $40M hack behind ‘wallet maintenance’

Blockchain investigator ZachXBT traced total losses of over $5 million from addresses identified as the project’s “treasury multisig and personal wallets,” providing a list of addresses via his Investigations Telegram channel.

While the initial disclosure was scant on details, it does mention a reward to any whitehats able to aid the investigation. This was followed up with an on-chain message to the hacker, offering a 10% ‘bounty’ for the return of the funds.

Assuming funds aren’t returned before 8am (UTC) on Saturday, the bounty will be opened up to the public in return for information leading to a conviction.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Three DeFi hacks net $10 million in 48 hours despite ‘renaissance moment’ appeared first on Protos.

A ‘periphery’ contract of the decentralized finance (DeFi) sector’s biggest lending platform, Aave, was hacked for a total of $56,000 earlier today.

Aave, which contains assets worth over $11 billion according to data from DeFiLlama, has made clear that the attack, which began, around 04:30 UTC placed no user funds at risk. Founder Stani Kulechov and governance delegate Marc Zeller both took to X (formerly Twitter) to reassure users.

Read more: Compound DAO asleep at the wheel as $25M governance ‘attack’ passes

Fuzzland’s Chaofan Shou identified the cause of the hack, pointing to transactions on four networks: Ethereum, Aribtrum, Polygon, and Optimism. He estimated the total funds at risk to be around $70,000.

According to analysis by security firm QuillAudits, the losses to attacks on the above networks totaled approximately $51,000. A further attack on Avalanche netted around $5,000. Funds were forwarded to a holding address on all networks.

The affected periphery contract, ParaSwapRepayAdapter, isn’t part of the core Aave protocol and appears not to have been audited. It allows users to repay borrow positions using existing collateral, swapping assets via decentralized exchange ParaSwap.

While the contract itself isn’t designed to hold user funds, the positive slippage on swaps leads to a gradual accrual of any leftover tokens.

In response to questions about the origin of the funds stolen, Aave delegate Marc Zeller said, “Someone raided the tip jar.”

Aave development contributor BGD Labs later responded with more detail, informing users that losses were limited to the affected contracts and couldn’t spread to the wider protocol. The post also highlights that there’s no risk of a token approval-related attack.  

Read more: Seneca Protocol hack highlights dangers of Ethereum’s token approval mechanism

Glass houses

Two days ago, Euler Finance founder Michael Bently accused Aave of sweeping “major security issues” under the rug, in response to Kulechov’s teasing over Euler’s $200 million hack in March last year.

The comments, made in popular DeFi Telegram community LobsterDAO, resurfaced after today’s news, devolving into an argument between the two lending protocols.

Bently accused the Aave team of “celebrating and tweeting misinformation” shortly after Euler was drained, as well as claiming that Aave is held to different security standards by the community at large.

In November 2023, a reported security incident led to a number of Aave pools being paused, but full details remained unpublished, citing concern for potentially vulnerable ‘forks’.

However, plenty of Aave forks have been hacked in the past, with little sympathy from the original protocol.

Read more: Linea protocol ZeroLend is a ‘copy-paste’ Aave fork, linking to original’s docs

Kulechov dismissed his own earlier comment as “shitposting” while downplaying today’s event as “basically a tip jar arbed.” Then referring to Bently’s “tiring” talk of the upcoming Euler v2, Kulechov snapped “go build it and fuck off.”

Aave is certainly no stranger to heated relationships with other organizations in DeFi. Earlier this year, risk management team Gauntlet decided to leave the protocol after frustrations boiled over.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Aave hacked via periphery contract — $56K stolen from ‘tip jar’ appeared first on Protos.

Decentralized finance (DeFi) has its fair share of ‘forks,’ but rarely do they top the total value locked (TVL) charts. Linea, the zero-knowledge rollup ‘bootstrapped’ by Consensys, claims to be ‘home to the most innovative web3 projects.’ But its largest project, ZeroLend, is a seemingly low-effort fork of Aave, the widely-established lending protocol.

As noted by X (formerly Twitter) user @majinsayan, ZeroLend’s mobile site until very recently even redirected to Aave’s own FAQ section.

At $235 million TVL, ZeroLend accounts for over a third of the blockchain’s entire $667 million TVL, according to data from DeFiLlama.

‘Forking,’ common in DeFi, is the practice of copying an existing project’s code for reuse and, ideally, further development.

Oft-forked Aave is the biggest protocol in DeFi — ignoring Lido and Eigenlayer which offer ETH staking and re-staking, respectively — with $11.6 billion of TVL across 12 chains.

Many forks of Aave, and similar lending protocol Compound, have been deployed over the years, and have often fallen victim to hackers. Recent examples include Radiant Capital, which lost $4.5 million in January, and Michael Patryn’s UwU Lend, which was hacked for $20 million one month ago.

Read more: Sifu’s UwU Lend reportedly hacked for $20M, Curve’s Egorov among affected

Despite this, the original codebases are widely considered amongst the most secure in the sector, with any changes only possible via decentralized governance and on-chain voting.

While this may be comforting for even the most risk-averse crypto users, such as addresses labeled as the US government, it’s not without its own problems, given that any bug fixes take time to implement.

Read more: Compound Finance upgrade bug freezes $830M in crypto 

Friends don’t fork friends

Back in March, Aave governance delegate Marc Zeller described ZeroLend as “the Aave codebase with a high inflation shitcoin slapped on top.”

The comment came in response to ZeroLend’s governance forum post suggesting that Aave recognize them as a ‘friendly fork,’ offering to share revenue and a portion of their ZERO token airdrop in return.

Zeller didn’t seem keen on the reputation risk in associating Aave with one of the many unsanctioned spin-offs, however, hazarding that ZeroLend “only has one likely outcome, onboarding the wrong collateral or Oracle, or pushing a wrong config and getting featured in Rekt News.”

ZeroLend had been seeking a similar setup to MakerDAO’s SparkLend, which has been endorsed by Aave under a similar revenue sharing proposal since it passed in March 2023.

Despite this, Spark also found itself on Zeller’s radar last week. He accused MakerDAO of ‘creative accounting,’ leading to a revenue share calculation at ‘much closer to 1%,’ rather than the agreed upon 10%.

Zeller is no stranger to inter-DAO controversy, hitting out at Gauntlet and Morpho earlier this year, and criticizing the same pair’s risk management strategy in the wake of Renzo’s ezETH depeg. He then branded as “reckless” MakerDAO’s decision to onboard Ethena’s ‘synthetic dollar’ as collateral.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Linea protocol ZeroLend is a ‘copy-paste’ Aave fork, linking to original’s docs appeared first on Protos.

Aave governance discussions have been heating up recently. Two separate groups of advisors have left, and the protocol has faced criticism regarding a controversial rewards system designed to punish those who use competing platforms. 

Widely regarded as one of decentralized finance’s (DeFi) most mature governance systems, (although the bar isn’t particularly high) Aave holds over $8 billion of assets, but it’s not without its share of drama.

Aave is governed as a decentralized autonomous organisation (DAO) in which AAVE token holders vote on any changes.

Although one token equates to one vote, influential parties within DAOs often emerge, be it due to the concentration of governance token holdings (e.g. team members or early investors) or as service providers paid to advise on specific topics.

Read more: Curve exploit shows DeFi still far from decentralized in 2023

Gauntlet calls it quits

On Wednesday, Aave’s longtime risk management service provider, Gauntlet, announced its decision to walk away from the role it held since 2020.

Risk management is especially important for lending protocols, which must decide on which collateral assets to accept and adjust protocol parameters in response to market conditions. 

Outsourcing this work to dedicated service providers, Gauntlet and Chaos Labs, rather than relying on AAVE holders to keep track, cost the Aave protocol $3.2 million per year.

Gauntlet co-founder John Morrow laid out the reasons that “Gauntlet is no longer able to continue [its] work with Aave,” which included “inconsistent guidelines and unwritten objectives of the largest stakeholders.”

Morrow cites strong opposition to Gauntlet’s contract renewal in November 2023, as well as another example in which Gauntlet received strong criticism while a similar proposal by Aave’s other risk manager, Chaos Labs, went smoothly.

The examples given in Morrow’s statement are telling, in that they are all published by governance delegate Marc Zeller, representing the ACI faction of AAVE holders.

The relationship between Zeller’s ACI and Gauntlet has been strained for some time. Zeller’s recent criticisms have included Gauntlet’s slow reaction times to a fast-moving industry and perceived moonlighting for competition.

In response to Morrow’s statement, Zeller suggests that Gauntlet’s move is that of a  “mercenary” looking elsewhere for a better opportunity after having benefited from the “prestigious” role with Aave.

Merits and demerits 

Never shy of ruffling feathers, Zeller has also come under fire for a proposed new incentive system for Aave users.

The proposed ‘Merit programme’ would use protocol revenue to reward ‘Aave-aligned’ user behaviour, but would include dilution of any rewards for users of ‘non-aligned protocols.’ 

Currently, only one project has been labelled as ‘un-aligned,’ namely Morpho, whose CEO sees the move as Aave “attempting to prevent the growth of Morpho.”

Morpho’s Aave Optimizers, which Zeller refers to as a “leech,” operate on top of Aave, matching borrowers and lenders peer-to-peer. Their users would have any rewards diluted up to 100% — the stick — whilst also being eligible for a boost for migrating assets out of the optimizers and back to Aave — the carrot.

Zeller frames the 90-day pilot programme (worth $2.1 million) as a first step in the long-term redistribution of profits to users. 

However, the punitive aspect doesn’t sit well with some, who feel it goes against the DeFi ethos of user choice and disincentivizes innovation.

The proposal has been moved to a Snapshot vote, an intermediary (off-chain) sentiment check, before potentially moving forward to a full on-chain vote.

Time to GHO

Last week, the resignation of a member from the GHO Liquidity Committee, known as ‘TokenBrice,’ was accompanied by a tirade about ”theater” and “newspeak” in DeFi.

Aave had tasked the Liquidity Committee with maintaining the peg of GHO, Aave’s own stablecoin, which has tended to trade below peg since its inception in July last year.

The damning resignation statement from the departing member describes inefficiencies, poorly defined scope, and the danger of “governance professionals” who may have conflicts of interest.

Read more: Here’s why decentralized finance is actually very centralized

These ‘DeFi politicians,’ TokenBrice claims, use the committee “like a big bag of cash … to direct to protocol they have an interest in.”

The article also discusses DeFi more widely, stating that public governance forums are “just a stage” while the actual decisions are made “backstage.”

Meanwhile, in the Aave governance forums, the show continues. Three days remain to see what will happen next.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Advisors leave Aave as protocol punishes competitors appeared first on Protos.

A notorious market manipulator, responsible for last month’s attack on Mango Markets, yesterday attempted to crash the price of DeFi exchange Curve’s CRV token.

DeFi users tracked his movements on-chain. They rallied around the token, pumping the price by over 40% and leading to Eisenberg’s short position being liquidated. However, DeFi lending protocol Aave was left with 2.64 million CRV (worth approximately $1.6 million) in bad debt upon liquidating the collateral.

The strategy involved building up a hefty short position on Aave, borrowing a total of 92 million CRV against 57 million USDC collateral over the last few days. Then 20 million CRV was transferred to OKEx exchange and it was presumably dumped — shortly after, the price began a rapid descent.

It appeared that Eisenberg was targeting the liquidation of Curve founder Michael Egorov’s large long position, also on Aave. At a CRV price of $0.26, this position would be automatically liquidated by Aave, selling the CRV collateral, pushing the price further down and further boosting the short’s profitability.

Strategies like this work when on-chain liquidity is low. Lending protocols such as Aave and Compound tend to limit the assets accepted as collateral in order to reduce the potential for the type of extreme price manipulations that allowed Eisenberg to drain Mango Markets.

Read more: Here’s how three DeFi protocols lost $115M in one day

However, CRV’s main use is to be locked in exchange for governance rights on Curve, and much of the supply is locked for long periods as veCRV. This, combined with the recent liquidity crunch brought on by the collapse of FTX, led to lowered liquidity, making the trade theoretically possible.

Curve is an important protocol in DeFi, however, and many whales with deep pockets have an interest in maintaining a healthy CRV price. In response to the attack, CRV began to be bought up and the price began to recover quickly.

The release of a whitepaper for Curve’s upcoming stablecoin, crvUSD, may have further boosted the price, which reached $0.72, far above the $0.64 at which Eisenberg’s short position began to be liquidated.

As it became clear the bet wasn’t going to play out as he’d hoped, Eisenberg took to Twitter to say he would be “Taking the day off to spend time with family.” One of his liquidators subsequently left a message via Etherscan transaction input data that read, “We shall go always a little further… Mango sends it (sic) regards.”

Eisenberg, also known by his Ethereum address ponzishorter.eth, warned last month of the potential to manipulate prices of Aave collateral assets with low on-chain liquidity. In the example, he outlines a similar strategy using REN token:

While the damage to Aave is relatively small (Aave v2 bad debt is less than 0.1% of TVL according to RiskDAO’s dashboard), there has been some discussion as to whether the protocol could have adjusted lending parameters to avoid this result.

Liquidating large positions in a relatively illiquid asset can lead to heavy slippage when swapping the collateral asset to repay lenders. A discussion on whether to freeze or adjust LTV parameters for certain, currently volatile, collateral assets is ongoing.

For more informed news, follow us on Twitter and Google News or listen to our investigative podcast Innovated: Blockchain City.

The post Market manipulator liquidated trying to short Curve appeared first on Protos.

AAVE has a bad debt problem. A global community of people use the AAVE protocol to take out and service crypto loans, provide liquidity, stake, earn interest, and/or vote on governance proposals.

But as a result of these financial dealings, the AAVE protocol itself has debt — payable in the future to AAVE from its users. The problem? Some of those debts might have gone bad.

AAVE currently boasts more than $6 billion in crypto value on its platform. Its so-called ‘V2’ implementation currently has $5.5 billion in Total Value Locked (TVL), a commonly-cited (albeit easy-to-manipulate) measure of DeFi protocols. That TVL includes $5.16 billion in ETH and ETH-based tokens, $669 million in wrapped ether (WETH), and $546 million in wrapped bitcoin (WBTC).

DeFiLlama, a popular metrics website, tallies $1.7 billion of that $5.5 billion total as borrowed. The website also listed $350.3 million as assets able to be immediately liquidated — the second highest of any DeFi application.

DeFiLlama also cited an AAVE-controlled Ethereum wallet that currently holds $144 million worth of tokens, most of it AAVE-wrapped ether (aWETH) and AAVE-wrapped bitcoin (aWBTC).

Transaction data from this address indicates that the wallet receives high-value ETH transactions from centralized exchanges like Bitfinex. It also frequently interacts with one of Centre’s official USD Coin wallets. On November 21, for example, it received three transactions worth 1,250 ETH, slightly over 16,622 ETH, and almost 10,000 ETH, directly from a Bitfinex hot wallet.

An Ethereum address labeled in Etherscan as Aave: Genesis Team currently holds $82 million in Ethereum tokens. A recent snapshot by DeBank put its value at $74 million and $7 billion worth of USDC-owed debt.

The Aave: Genesis Team wallet interestingly received a transfer of 7.2 million USDC on November 17, 2022. It quickly transferred 7 million USDC to AAVE V2 in a transaction labeled ‘repay.’ These transactions indicate that the address’s controller is pulling USDC off an exchange to pay off the loan.

The AAVE community has a few questions

With so many centralized points of control, including centralized exchange accounts controlled by one person, the AAVE community is beginning to wonder not only whether its debtors are creditworthy, but also who even controls the protocol’s assets.

The bankruptcy of FTX has impaired the assets of many of AAVE’s debtors. Billions of dollars will remain locked in bankruptcy proceedings for months, and these assets cannot be immediately repaid to AAVE. At the worst, fear could spark a bank run as depositors try to withdraw their assets from the protocol en masse.

AAVE also faces the risk of loaning additional digital assets to borrowers who cannot repay. AAVE’s $1.7 billion in borrowed assets may indicate considerable leverage trading on digital asset exchanges. Of course, leverage comes with high risks, including losing money on a bad bet or even losing access to one’s assets when an exchange melts down as rapidly as FTX did.

Read more: DeFi protocols are limiting Ether borrowing — here’s why

Bad debt could haunt AAVE and its users, especially if markets have another significant downturn. AAVE could eventually be looking to dispose of billions of dollars’ worth of illiquid collateral. The protocol’s billions of supposed TVL could end up plummeting rapidly through a worsening bear market, a bank run-like panic, or both.

For more informed news, follow us on Twitter and Google News or listen to our investigative podcast Innovated: Blockchain City.

The post DeFi protocol AAVE faces bad debt and centralized points of failure appeared first on Protos.