Aave governance delegate Marc Zeller has aired concerns over the future of the decentralized finance (DeFi) lending platform on Polygon in the wake of a controversial proposal to use funds locked in the network’s bridge to earn yield elsewhere.

Aave is the largest protocol on Polygon, accounting for over a third of the chain’s total value locked (TVL) at $467 million, according to data from DeFiLlama.

Read more: Advisors leave Aave as protocol punishes competitors

The proposal to create a “Polygon PoS Bridge Liquidity Program” is currently in pre-PIP status and, in the four days since publication, has generated discussion between concerned and yield-hungry users alike.

While some point to the potential boon to the ecosystem of the program’s profits being “strategically deployed… to incentivize liquidity and stimulate project growth,” others raised security worries.

Many users pointed out that stablecoin holders are especially risk-averse and adding layers of risk onto a “stable” product is precisely the opposite of why users hold these assets. 

The $1.3 billion worth of idle stablecoins would be bridged for use on Ethereum via Aave competitor Morpho, with vaults being “curated” by the proposal authors AllezLabs. A “conservative” yield of 7% would be targeted, potentially earning over $90 million per year.

The resulting lending interest would then be funneled back to Yearn on Polygon, where it would be distributed among yield farming vaults to incentivize activity on the chain.

In Zeller’s own discussion thread on Aave’s governance forum, he cites examples of bridge hacks such as Ronin, BNB Bridge, Wormhole, and Multichain as making up many of the largest losses in DeFi over recent years. He proposes to “set loan-to-value (LTV) for all assets on Aave V2 and V3 Polygon to 0%,” essentially disabling new borrowing, as well as incentivizing the migration of already-deposited assets to other networks.

Read more: Explained: How $600M was stolen from Binance’s BNB chain

However, the fact that the proposal would see funds funneled to Morpho likely also doesn’t sit well. Aave and Morpho haven’t been on the best of terms since risk manager Gauntlet jumped ship from the former to the latter.

Tensions flared again when Zeller accused Gauntlet and Morpho of not doing enough to protect users in the wake of a depeg of restaking token ezETH in April.

Read more: Depeg of $3B restaking token ezETH causes over $60M in DeFi liquidations

Meanwhile, Aave has been riding the wave of the recent DeFi renaissance, breaking its all-time high of $38 billion worth of net deposits. Even a President-elect Donald Trump-linked address has been buying the AAVE governance token ahead of the planned launch of World Liberty Financial (also Trump-linked, despite a lengthy disclaimer) as an Aave instance on Ethereum.

Perhaps Polygon needs Aave more than Aave needs Polygon.

A Polygon Labs spokesperson told Protos: “The Polygon community has only put forth a pre-PIP (preliminary proposal) at this stage, and the topic is still in the very early phases of discussion. The Polygon community, which includes dApp builders across protocols, values open dialogue and collaboration as integral parts of the governance process. Getting feedback from all stakeholders is essential, and we encourage continued conversation to ensure these proposals are fully discussed and evaluated. Polygon Labs is supportive of the community continuing to prioritize the security of the ecosystem”

UPDATE 16/12/2024 20:33 UTC : Included a quote from Polygon Labs spokesperson.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Aave could leave Polygon over plan to use bridge funds for yield farming appeared first on Protos.

A study published by the Bank for International Settlements (BIS) claims that the most successful liquidity providers on Uniswap v3 are sophisticated institutional agents who mimic the tactics of traditional finance.

Despite the promise of decentralized finance (DeFi) opening up lucrative opportunities to average Joes, the findings show that there’s no such thing as a free lunch.

The BIS’ 36-page Working Paper compares “sophisticated and unsophisticated participants” across the top 250 pools, representing 96% of volume on the decentralized exchange (DEX); the groups are defined according to their “behavior and position sizes.”

The “profitability, liquidity provision strategies and responses to market changes” of the two groups were then analyzed to explore “whether DEXs fulfill their promise of ‘democratizing’ financial markets by allowing anyone to participate in liquidity provision without intermediaries.”

Rather than wide-range, passive liquidity provision, the more successful, institutional group adapts to the market in real-time, “[mimicking] traditional bid-ask spreads, enabling them to earn significantly higher profits.”

In addition, these improved gains are further maximized, “especially during periods of high market volatility,” which are typically when LPs face the highest risk.

Read more: Uniswap’s new trading fee neglects UNI holders

A short history of Uniswap liquidity providers

Decentralized exchanges, such as Uniswap, rely on users, known as liquidity providers, who deposit assets into “pools” which can then be used by traders to swap between the assets available.

In return, the providers are paid in the trading fees charged on each trade, with high-volume pairs being the most lucrative. Price volatility between the assets supplied can, however, incur heavy losses.

In Uniswap v1, launched in 2018, all assets were paired against ETH, a risky setup for liquidity providers because of its volatility. The DEX’s v2 introduced pools between pairs of any asset, meaning that providers for stablecoin pairs could earn relatively low-risk yield.

Read more: Uniswap Labs launches Unichain without UNI unanimity

Uniswap’s v3 introduced the capacity for liquidity providers to specify a range over which their funds could be used to settle trades between assets — a feature known as ‘concentrated liquidity’. This change vastly increased the complexity, and potential profit, of providing liquidity, which had previously been a passive practice.

Hitting the sweet spot

The ability to adjust the range of their positions according to market conditions lets providers zero in on the most efficient use of their funds. However, the accumulation of “gas” fees required for fine-grained adjustments can make this viable only for the larger players.

The researchers found that sophisticated participants tend to avoid asset pairs with sustained volatility but capitalize on shorter periods of volatility by widening their range. Retail users tended to do the opposite and made fewer adjustments on high-volatility days.

Overall, “retail liquidity providers are outcompeted by a small group of sophisticated agents” who “hold about 80% of total value locked and focus… on liquidity pools that have the most trading volume and are less volatile.”

In contrast, the net profitability of retail users is skewed by a handful of especially successful examples, and on “more than half of the days [studied], retail liquidity providers lose money.”

While DeFi’s promise to democratize finance may be a noble goal, the study concludes that centralizing forces in traditional finance “are likely inherent characteristics of the financial system, even in DeFi.”

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post TradFi tactics win on Uniswap v3 says BIS study appeared first on Protos.

In early August, a little over two months ago, BitGo announced that it was entering a new joint venture with Justin Sun and BiT Global, a Hong Kong-based custodian, to manage custody for Wrapped Bitcoin (WBTC).

Sun’s involvement was controversial, leading some DeFi projects to briefly consider whether WBTC would remain safe going forward. The most high-profile of these, MakerDAO, did eventually decide it was still safe to include WBTC.

This period of time even included a less than fully viable proposal for competitor Threshold Network to acquire WBTC. 

Additionally, both Coinbase and Kraken have launched competitors to WBTC following BitGo’s announcement.

Read more: How involved is Justin Sun with WBTC’s new custodian BiT Global?

Since then, Coinbase’s version, Coinbase Wrapped Bitcoin (cbBTC), has seen the most rapid growth among the four charted competitors, vastly outstripping both Kraken Wrapped Bitcoin (kBTC) and Threshold Network Bitcoin (tBTC).

Despite the originally controversial change and an initial surge, burn requests have slowed for WBTC, and the appreciation in bitcoin’s price has allowed its market capitalization to grow more substantially than the growth of its competitors tBTC, kBTC, and cbBTC combined.

Additionally, BitGo has announced that two of the three keys will remain in its control, split between BitGo Singapore and BitGo Inc., with only a single key under the control of Sun-affiliated BiT Global.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post CHART: The growth of WBTC competitors appeared first on Protos.

Decentralized finance (DeFi) application Delta Prime, which operates on the Arbitrum and Avalanche networks, suffered an estimated $4.5 million hack on Monday.

This is the second incident to hit the ‘yield farm’ in less than two months, bringing combined losses to approximately $10.5 million. The serial hacker responsible also looks to be a keen ‘farmer,’ putting $2 million to work on other platforms.

Blockchain security firm Peckshield suggested that Delta Prime “may want to take a look” at a suspicious transaction in which funds were sourced via a flash loan from the Balancer protocol.

Read more: DeFi app Delta Prime loses $6M after being warned of Lazarus mole

A follow-up post identified the loss as linked to “the lack of input validation in claiming possible rewards.”

The official Delta Prime response to the incident estimates losses at $4.5 million and states that “the protocol [is] paused on both chains, the risk is contained.” Meanwhile, the project’s most recent X (formerly Twitter) thread had been an explainer on reimbursement tokens for victims of the previous hack.

According to X user yieldsandmore, the address responsible for the attack is an “experienced serial exploiter.” They also appear to be a keen DeFi user.

On Arbitrum, two addresses were identified as holding the profits from the exploit, which total approximately $700,000. However, as Peckshield notes, on Avalanche, where the majority of the funds ($4.1 million) were stolen, the exploiter is using around $2 million of the spoils to farm rewards on two DeFi protocols, LFJ (formerly Trader Joe) and Stargate.

Today’s hack comes just under two months after Delta Prime confirmed having lost $6 million to a private key compromise. Prolific blockchain investigator ZachXBT had previously warned of North Korean infiltrators in a number of DeFi projects, Delta Prime included.

To combat the threat of state-sponsored hackers working as moles within DeFi teams, some teams have resorted to a simple (but apparently effective) screening process.

Read more: North Korean hackers posing as devs exposed with ‘I Hate Kim Jong Un’ test

According to Harrison Leggio, co-founder of token launchpad g8keep and known as Pop Punk on X, challenging potential hires to type “i hate kim jong un, fuck north korea” may be enough to scare them off.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post DeFi project Delta Prime hacked again — months after private key leak appeared first on Protos.

One of the largest holders of UNI tokens is questioning Uniswap’s decentralization and backroom deal-making, specifically, its claim of “efficiency” as justification for a suite of overhauls, and a possible undisclosed financial interest between Uniswap Labs and another blockchain, Optimism.

The Head of Governance at Stanford Crypto, a delegate entrusted with UNI governance tokens from thousands of individuals, threaded a 22-post complaint about Uniswap’s sudden decision to launch its own blockchain, kill its proposed fee switch that might have benefitted holders of UNI, and bypass the ostensibly decentralized autonomous organization (DAO) that supposedly governs Uniswap.

The hurried launch of Unichain “took many by surprise” and left “delegates in the dark,” wrote Billy Gao, who casts votes on behalf of his sizable delegation. He also noted that the decision “functionally mutated” the ERC-20 contract of UNI, which is “immutable” only by the most strict and pointless definition — given that UNI is now tied to an entirely new blockchain.

‘What control do token holders truly have?’ the delegate lamented.

Uniswap (UNI) and Optimism (OP)

Worse, Gao soon raised suspicions of a backroom deal that financially motivated Uniswap’s extralegal bypass of the DAO. Although he did not make a formal allegation, he noted, “there must be reasons behind adopting the OP [Optimism] stack for Unichain.”

Optimism is a separate blockchain that publishes rolled-up data onto Ethereum. The so-called “layer 2” or “scaling solution” launched its own token, OP, which is worth over $7 billion.

Importantly, Optimism is just one of thousands of competitors in the layer 2 ecosystem atop Ethereum. Indeed, it is less than one-fifth of the value of all Ethereum layer 2s. The Stanford Crypto delegate asked why Uniswap Labs chose OP and why everyone should trust that the decision had no backroom deal-making.

Lingering questions about Uniswap’s decentralization

Questions abound regarding Uniswap Labs’ decision to repurpose the UNI token away from its original focus on exchange fees. Why did Uniswap not choose Arbitrum, for example, the market leader that is more than twice as large as Optimism?

Read more: Is Uniswap becoming more TradFi than DeFi?

In short, Uniswap Labs is the target of another critique that marks yet another chapter in its saga of decentralization theatrics. In the past, the leader of the ostensibly decentralized token exchange has suffered criticism for endowing power with monied interests like Binance, a16z, and even the $700 million Ethereum Foundation.

Now, delegates who thought they had a say in Uniswap governance are left stunned at a hasty decision to launch a new blockchain, change the real-world function of an ostensibly immutable smart contract, and align with a second-ranked layer 2 with its own token incentives.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Uniswap Labs launches Unichain without UNI unanimity appeared first on Protos.

Yesterday, lending platform Radiant Capital suffered a loss of over $50 million worth of crypto when the project’s multisig wallet was compromised.

The incident offers a stark reminder of the importance of key management in the industry, and the potential for damage when signer addresses are compromised.

According to blockchain security firm SlowMist, private keys to three of 11 addresses were compromised in order to “transfer ownership of the LendingPoolAddressesProvider contract to a malicious contract controlled by the attacker.” This was then used to drain lending markets on two networks: Arbitrum and BNB Chain.

Read more: Three DeFi hacks net $10 million in 48 hours despite ‘renaissance moment’

Crypto auditor Ancilia Inc. alerted the community, instructing users to revoke token approvals to the affected contracts, and adding updates as the losses mounted.

Unfortunately, the security experts were also reportedly duped into sharing a wallet drainer link from a spoofed account, ‘Radiarnt Capital.’

Radiant Capital’s official X (formerly Twitter) account acknowledged the incident approximately two hours later, as well as confirming the list of compromised contracts. In the meantime, regular marketing material was published and screenshots emerged of a team member assuming users had fallen victim to a “phising” (sic.) attack.

The stolen funds — $19 million and $32 million worth of BNB and ETH respectively — are currently held in attacker addresses on BNB Chain and Arbitrum. Radiant Capital previously lost $4.5 million to a well-known bug in January of this year.

Wider threat

The news underlined the decentralized finance (DeFi) sector’s reliance on multisig wallets to secure crypto worth billions of dollars.

L2BEAT researcher donnoh.eth pointed out the sheer scale of funds secured across the sector, with the threshold for each multisig displayed alongside the value held within.

Read more: Blast L2 hack prompts debate over centralization of Ethereum rollups

The figures show that just two compromised signatures could lead to losses of $676 million on Starknet. A total of $1.756 billion is secured by just three signatures apiece across Blast (by far the best value-for-key for potential hackers), Frax, Taiko, and Kinto.

Four-signature thresholds secure $1.197 billion in total between Linea, Metis and, Loopring. Finally, $1.44 billion Mantle has the highest threshold, but with 13 possible signers come more opportunities for would-be spear phishing targets.

Multisig wallets are a common security feature for crypto users, especially projects that manage funds as a team or for making critical upgrades to their platforms. An established threshold of signatures is required to send transactions, with no single address able to do so alone.

Read more: DeFi app Delta Prime loses $6M after being warned of Lazarus mole 

However, multisigs represent a ‘honeypot’ target for black hats, with extraordinarily large sums extracted on occasion.

In July, Indian crypto exchange WazirX lost $230 million after two signer addresses were compromised, and a further two were likely tricked into signing a malicious transaction. In March 2022, the now infamous Ronin Bridge attack saw over $600 million stolen, which went unnoticed for almost a week.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Radiant Capital’s $50M crypto hack underlines DeFi’s multisig dependence appeared first on Protos.

Donald Trump’s new crypto project World Liberty Financial has faceplanted again after it was revealed that, three days into its public token offering, insiders sold less than 4% of their goal of 20 billion WLFI tokens.

This news comes after researchers discovered that World Liberty hired workers from hacked crypto project Dough Finance, X (formerly Twitter) suspended the Rug Radio presenter who hosted its debut, and the website repeatedly crashed on its token sale day.

World Liberty Financial’s website admits that it still hasn’t sold 19.2 billion of the tokens it had hoped to. Indeed, as of publication time, it has raised less than $12 million of the intended $300 million.

Although insiders claimed to have whitelisted over 100,000 wallets for the initial coin offering (ICO), fewer than 10% of those wallets have participated.

As disappointments proliferated, its team began damage control.

• The project cut its target for token sales to public buyers from 63% to 35%.
• It named its ICO whitepaper a ‘gold paper’ to buffer its claims from legal recourse.
• The team modified the promise to make WLFI tokens transferable after 12 months, adding a disclaimer that reads, “You should assume that the tokens are non-transferable indefinitely.”

Read more: Donald Trump’s crypto project copied code from hacked app, report

Even if World Liberty Financial managed to hit its full 20 billion target, Trump would still own more. As compensation for his endorsements, he will own 22.5 billion WLFI tokens plus “significant fees for services.”

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Donald Trump’s WLFI token sale 96% short of $300 million goal appeared first on Protos.

The crypto bull market is back, and with it advertisements for ultra-high yield opportunities to lure bitcoin from investors’ wallets. Unsurprisingly, centralized offerings and nascent DeFi projects are bull market-sizing their annual percentage yields (APYs).

ZeroLend, for example, an experimental, decentralized finance (DeFi) platform, offers an irresponsible 61% APR denominated in a bitcoin-branded token called Lombard BTC. This token is currently worth approximately the same as bitcoin.

It’s important to note that bitcoin itself, which is not proof-of-stake (PoS), offers no native yield. Nevertheless, by introducing risks like proprietary trading or lending customers’ deposits, centralized services like M2, WireX, or CoinHold raise that passive rate to 8%. EarnPark doubles the rate to 15%.

Bitcoin APYs cannot be compared to fiat benchmarks like the US prime rate of 8% and unlike PoS assets like ETH or SOL, holding BTC does not yield passive BTC.

For speculators looking for APYs above 15%, less conventional offerings are available for even more degenerate yields on bitcoin.

Looping up yields through bitcoin-themed DeFi

By daisy-chaining a series of protocols including Ethereum, ZeroLend, Lombard, Contango, and Babylon, bitcoin investors can earn outsized returns if everything goes according to plan.

Read more: Ethena offers 27% on stablecoins but where is the yield coming from?

Unlike the US dollar’s 4.53% risk-free interest rate, BTC has no risk-free interest rate. Nevertheless, conventional custodians and DeFi platforms are dangling APRs and APYs starting in the high-single digits and reaching into the high-double digits for bitcoin speculators.

With history as a guide — recalling Celsius, Voyager, Gemini Earn, and other disasters — investors should remember that high-yield bitcoin advertisements often have grave risks of total loss.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post DeFi yields exceed 60% APY on bitcoin with insane risks appeared first on Protos.

Andre Cronje, a senior developer responsible for some of the biggest DeFi-focused projects at Fantom, Bribe.crv, Yearn, and Keeper, claims that someone stole his computer code for a billion-dollar project.

According to Cronje, someone used his work to create an unauthorized copycat that somehow amassed seven figures of total value locked (TVL) and fully diluted value (FDV). He also claims the thief neglected to pay him a licensing fee and even went as far as “slapping on a restrictive license.”

Read more: Fantom stablecoin watcher alleges ‘liquidation’ scheme

Cronje seemingly names the culprit

One X (formerly Twitter) user going by the name of ‘Brad’ speculated that the alleged culprit is Aerodrome Finance, built on Coinbase’s Base blockchain.

If that guess is correct, the TVL matches Cronje’s $1 billion almost perfectly. “This is a really bad look for the project and team if true,” said Brad.

Year-to-date, Aerodrome has grown its TVL from $120 million to $1.08 billion.

Cronje responded directly to Brad’s guess and seemingly confirmed it. An Aerodrome promoter subsequently claimed to be in conversation with Cronje, “We’re chatting. All is good.”

“Your team tilts me so much,” lamented Cronje. “You go to great lengths to lie and say it’s a rewrite.”

Aerodrome hosted a live social audio space on Thursday morning. Protos listened to a substantial portion of the event but didn’t hear any mention of Cronje’s allegation.

Read more: Former Coinbase employee accused of ‘stealing’ code for PearAI

Protos reached out to Cronje for comment but had not received an immediate response prior to publication.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Andre Cronje says someone stole his code to build a $1B DeFi project appeared first on Protos.

Yesterday, two hacks on decentralized finance (DeFi) protocols netted a total of over $5 million, with a further $5 million siphoned off from compromised wallets on Wednesday.

While the founders of two OG protocols, Aave and Maker (now Sky), bro’d down over Starcraft while basking in a “DeFi renaissance moment,” some of the sector’s less well-established projects were going down in history for the wrong reasons.

Repeat DeFi hack or a new bug?

First up was Onyx Protocol whose $3.8 million loss was first thought to be a repeat of the well-known bug that drained $2.1 million from the project toward the back end of last year.

Read more: Compound DAO asleep at the wheel as $25M governance ‘attack’ passes

Onyx is a fork of Compound Finance, which contains an infamous vulnerability in which freshly-launched, empty lending markets are briefly left open to a price manipulation attack, if not handled correctly.

Given the popularity of Compound’s v2 codebase with fast-forking DeFi devs, the bug is exploited with alarming regularity across the sector, and was initially identified as having been the cause of Onyx’s latest loss.

However, as the team pointed out in a ‘post-mortem’ thread on X (formerly Twitter), this time the vulnerability also lay in the platform’s ‘NFT Liquidation contract.’ The attacker was able to drain the vUSD stablecoin which was then sold off, causing it to depeg.

Something’s not adding up

Next came ‘bitcoin restaking’ protocol Bedrock which appeared to be overly bullish on ETH, costing it around $2 million.

Read more: ‘Cryptographic performance art’ drains contract one block after launch 

The faulty code allowed users to mint Bedrock’s uniBTC token at a 1:1 ratio with staked ETH tokens, not taking into account the price difference between the two assets (valued at the time at approximately $65,000 vs $2,650, respectively).

The uniBTC tokens were then sold off for an alternative wrapped bitcoin token, for a return of almost 25x.

Crypto security auditor Dedaub claims to have identified the vulnerability in advance, stating that such a simple bug could be discovered and exploited automatically by ‘fuzzing bots.’

Despite warning the Bedrock team two hours before the attack, there was no response due time zone differences. However, by raising the issue separately with Pendle, a platform with $30 million of exposure to uniBTC, further losses were successfully averted.

The Bedrock team responded to the incident, reassuring users that all uniBTC collateral remains intact. It estimated the losses at “approximately $2 million (mostly in DEX LPs),” adding that a “comprehensive reimbursement plan is being finalized.”

Compromised keys?

On Wednesday, real-world-asset-focused Truflation warned of “some abnormal activity,” which it attributed to a malware attack.

Read more: Chelsea FC sponsor BingX tried to hide $40M hack behind ‘wallet maintenance’

Blockchain investigator ZachXBT traced total losses of over $5 million from addresses identified as the project’s “treasury multisig and personal wallets,” providing a list of addresses via his Investigations Telegram channel.

While the initial disclosure was scant on details, it does mention a reward to any whitehats able to aid the investigation. This was followed up with an on-chain message to the hacker, offering a 10% ‘bounty’ for the return of the funds.

Assuming funds aren’t returned before 8am (UTC) on Saturday, the bounty will be opened up to the public in return for information leading to a conviction.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Three DeFi hacks net $10 million in 48 hours despite ‘renaissance moment’ appeared first on Protos.