2022: Chaos in Crypto
Governance attacks, bridge hacks, protocol failures, liquidation cascades, degenerate traders and major insolvencies. It's a fun year to be in crypto
So far in 2022 alone, billions of dollars have been lost to hacks due to vulnerabilities in DeFi. The fact that there have been hacks and exploits is nothing new, but the scale and complexity of some of those that we have seen this year has been extraordinary:
#3 Beanstalk — $181 million
It’s always pandemonium when a large protocol is drained, and the Beanstalk hack was no different. The unusual nature and story of the hack only makes it all the more interesting; Beanstalk has thus earned a well-deserved podium position for Biggest Hacks So Far This Year.
Bean.money was a decentralised stablecoin (and as we all now know, they never collapse), which fell due to a malicious mix of a flashloan to enact a governance attack. Firstly, the attacker a made a proposal that steal all the money from the bean contract (BIP 18), and then made another proposal (BIP 19) that would transfer $250k of $BEAN to the wallet for donations to Ukraine. Naturally, no community would vote through such a proposal, since it would destroy the project.
However, the hacker then took out $1 billion flash loan from Aave, passed the proposal, repaid the loan, and walked away with 24,830 WETH in profit, which was promptly obfuscated via Tornado Cash. $250k was also sent to the Ukrainian war fund.
The protocol had been completely drained, and the losses totalled $181m, even though the hacker could only manage to siphon off $76m. Since the team was anonymous, and didn’t want people to think that this exploit was a part of an inside job, the anonymous team decided to doxx themselves. Omniscia, the firm who had conducted the protocol audits, stated that this particular type of exploit fell outside the remit of their auditing process. Despite the best efforts of the community to relaunch what they had believed to be something special, the project was devastated by the attack. It is never a good sign when a project’s landing page has a section entitled “A way forward for X…”
Fortunately, lessons were learned from this exploit. Most notably, it highlighted some of the risks of on-chain governance, especially when combined with flash loans — the ways in which this issue could be addressed involve either more centralisation or greater checks and balances on proposals (which may also be a centralising force).
#2 Wormhole — $326 million
2022’s silver medallist goes to Wormhole, which suffered a $326 million exploit on the 3rd February, only a week after another bridge hack (Qubit Finance exploited for $80 million on the 28th January). The loss of 120,000 WETH called into question not only the promise of a cross-chain future (something that Vitalik had been warning about only weeks beforehand), but also meant that a significant portion of Ethereum that was being traded on Solana suddenly wasn’t backed by anything.
In an attempt to negotiate with the hacker to retrieve the lost Ethereum, a message was sent from the Wormhole Deployer:
This is the Wormhole Deployer:
We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at contact@certus.one.
As a white hat hacker, the exploit would have been extremely profitable: the hacker would be able to make off with $10 million and no charges would be pressed against him; he would never need to concern himself with being a fugitive. Add this to the fact that the $10 million would be liquid, and would not need to be laundered, and the proposition of accepting $10m over $326m seems more promising — you can hardly expect to steal $326 million without there being issues down the line.
Nevertheless, Wormhole never received a counter offer, and the stolen ETH is still sitting in the hacker’s wallet.
This should have been a disaster for Wormhole and for Solana, and many were convinced that it would be, but in the end the market maker Jump came to save the day and in under 24 hours the Ethereum was completely restored (although it is unclear exactly what the terms were for this restoration).
#1 Ronin Network — $624 million
The winner of Biggest Hacks So Far This Year is also the winner of the largest hack ever to have happened in DeFi. It is also a tale of either obscene competence or ridiculous negligence, since nobody even noticed that the attack had taken place for almost a week.
Axie Infinity had been rising in popularity throughout 2021 and 2022, but the high fees and low speeds on Ethereum rendered the gaming experience inferior to those on other chains. It was thus decided that decentralisation would have to stand aside in favour of speed and transaction output, and the Ethereum sidechain Ronin was launched. Ronin used a Proof of Authority (PoA) model in which control was placed on nine key holders, five of which would be required to make significant changes.
Strangely, four of the nine keys were held by one party, Sky Mavis, meaning that only one extra signature was required to take control of the network. The attacker appears to have gained access to the fifth validator via a deal made between the Axie DAO and Sky Mavis in November, which allowed for Sky Mavis to sign an additional signature on behalf of the Axie DAO. The permissions should have been revoked after one month, but were not.
The exploiter then drained 173,600 ETH from the Ronin bridge, as well an additional 25.5 million USDC (which was swapped for ETH).
Bizarrely, the attacker’s wallet was initially funded from Binance, and sent some of the hacked funds to FTX and Crypto.com. Sending hacked funds directly to centralised exchanges is a strange thing to do because the wallets are more easily KYC’d. Sky Mavis announced in a statement that in future, eight out of nine signatures would be required for control rather than five.
Insolvencies
The aforementioned cases describe three of the largest DeFi hacks of the year so far. I am doubtless that there will be countless more, but the real news of the past few weeks hasn’t had much to do with malicious “shadowy supercoders” stealing nine figure sums each week from unsuspecting victims. The largest collapses in the cryptocurrency industry over the course of the past few weeks have almost all been uniformly the result of excessive greed amongst a small number of individuals.
The first large project to completely implode in spectacular fashion was Terra: Luna and the algorithmic stablecoin UST entered into a death spiral that destroyed $40 billion of value in a matter of hours. As usual, the outcry of calls for regulation did little to enliven the hearts of those who had been crushed. The founder of Terra, Do Kwon, faced death threats and reported instances of people coming to his house having lost their entire life savings. He is currently being sued by a variety of different parties in various jurisdictions.
As always, the interconnectedness of markets makes it difficult to always tell which is the domino that sends the cards crashing down, nevertheless it seems that the Terra collapse put undue strain on a market that still had too much risk-taking leverage, and for many was the straw that broke the camel’s back. Tens of billions of dollars were wiped out from retail holdings and corporate treasuries almost overnight. Most insidiously, many had been relying on UST as a stablecoin precisely because they didn’t want to expose themselves to undue volatility.
The second huge domino to fall during this stage of the bear market appears to have been the Celsius Network. At the time of the Luna collapse, Celsius was already in a financially tenuous situation: the majority of the ETH they owned was staked in the ETH 2.0 depositor contract and therefore wasn’t liquid, which could cause problems if too many people tried to withdraw funds at the same time. After the Terra collapse, the natural caution that set in as more people decided to take custody of their funds and de-risk meant that huge amounts started to be withdrawn from Celsius. This was amplified by the fact that at the time of the collapse Celsius had approximately $500,000,000 in exposure to Luna, and was very nearly forced to take a huge loss (in actuality, Celsius’ selling thanks to their “risk mitigation” strategies was shown by data from Nansen to be one of the seven key whale wallets that exacerbated the loss of peg).
Celsius had already suffered losses from an exploit in Badger DAO, and Crypto Twitter has been actively tracking their Maker vaults with boxes of popcorn as further liquidations loom. Whilst Celsius may have advertised itself as an alternative to banking that provides rewards to the company rather than shareholders, it seems more accurate to describe Celsius depositors as unsecured lenders who are entrusting their funds to degen traders to take out huge amount of leverage and brand it “yield”. As such, it now appears that Celsius is almost completely insolvent, and their “run on the bank” forced them to restrict withdrawals “to protect the community”.
The third domino of this entire debacle is Three Arrows Capital, which was the largest cryptocurrency fund in the world a few months ago, and now also appears to be completely insolvent. As of a few months ago, they were reported to have AUM in excess of $18 billion — it seems they’d now be lucky to have held on to just $1 billion, having failed to meet a series of margin calls and seemingly having delved into the funds of their clients:
The main issue when a fund such as Three Arrows Capital goes down (and it appears that it will: Tether announced that they had liquidated both Celsius and 3AC in the same night for failing to meet margin calls) is that to become such a well-capitalised company they took out loans from almost everyone. As one of the largest borrowers of cryptocurrencies worldwide, their collapse poses a systemic risk to lenders, who are ill-prepared for such a shortfall: most of them operate with just a 5% buffer, meaning that existing loans will be called in and lenders will be forced to liquidate other positions in order to prevent their equity from being completely eroded — Celsius had actually collapsed before the Three Arrows Capital news, but there is no reason to suspect that there won’t be more collapses on the horizon.
This withdrawal of credit from the system removes huge amounts of potential buying pressure at these levels, and may cause more havoc with liquidations. Three Arrows Capital themselves have a $250 million ETH position on Aave, which liquidates if ETH breaks below $1,000.
As the volume of credit creation in the system is destroyed and allocators choose more risk-off assets, prices continue to fall.
Conclusion
The first three examples in this article highlighted some of the largest hacks that DeFi has experienced this year, and yet none of these quite compare in size to the volumes of money that have been lost or gambled away by various vectors of centralisation in an industry that takes prides in the opposite. It may seem ironic that Satoshi’s white paper purported to find a solution to centralised control, and the ability for bankers to take on huge risks with others’ money, and yet hedge funds and “fintech” companies appear to have entered the space and used the technology to scale up the financial debauchery. The hacks in DeFi were large, but the attacks were complex attacks on new and experimental technologies, so it ought not come as a surprise that vulnerabilities would be found. It is only from the vectors of centralisation that the largest risks are allowed to grow to be structurally significant. The Terra collapse ($40 billion) was a fault of centralisation in that the Luna Foundation Guard was not a transparent (nor, seemingly, competent) organisation, and the notion that Luna was in any way decentralised was a complete fallacy. The Celsius collapse (tens of billions) was due to opaque business practices and a small group of people using others’ to take on huge risks, all the while accompanied by morally dubious and utterly insincere branding. The collapse of Three Arrows Capital (tens of billions) was also a case of exuberance, in which a small number of people with outsized capital had the opportunity to take on extreme amounts of risk and leverage, and decided to jump at the opportunity. Even the Ronin failure was due to a centralisation risk, in that the Proof of Authority model was adopted for validators. If there is anything to learn from the series of failures and collapses over the course of 2022 thus far, it ought to be the significance of extricating oneself from the naivety of trusting third parties.
The risk-taking junkies in the world of capital allocation love leverage more than a Glaswegian loves smack, and they inject it into their business models with far less due caution. Decentralisation and long-term thinking did not cause any of these failures: opacity, incompetence and negligence caused them, and they were only possible because a disproportionately small number of people exercised a disproportionately large amount of power and were able to earn the trust of others.
“Don’t trust, verify” has long been a motto of the community, and it should now be clearer than ever that long-term thinking in such a “wild west” industry requires personal responsibility and self custody. Fortunately, although some of the largest vectors of centralisation, which could have become oligopolistic forces in the space for years to come, behaved like complete degenerates and caused their companies to implode. There will be many more examples of these over the coming weeks and months, as the last of the leverage is purged from the system.
Fortunately, the silver lining is that those protocols which are transparent, tried and tested, have fared extremely well. Not only have blue chips such as Aave, Compound, and Maker inadvertently managed to capitalise on the volatility by profiting from liquidating everyone, but they don’t appear to be at any existential risk — the projects simply do what they claim, and the governance token holders for their respective DAOs maintain their optimal performance. The same is true for Bitcoin, has never seemed less risky in terms of protocol fundamentals: the hash rate continues to rise to new ATHs, adoption continues to rise, and more countries are adopting it as legal tender (The Central African Republic having joined El Salvador a couple of months ago).
It remains to be seen what the rest of 2022 will bring. Will CeFi, or the sickeningly disingenuous VC lingo “CeDeFi” continue to lag behind transparency and decentralisation, and pose more of an existential risk to retail portfolios than proper self-custody? Of course it will. Regulators may look at DeFi and interpret it as an unregulated cesspit of scams, frauds and ponzi schemes — and it is. But there’s more to DeFi than just lies, hopium, and degenerate levels of leverage: what the regulators ought to interpret from events thus far in 2022 isn’t that DeFi is a net negative for society; regulators should accept that destruction in free markets is necessary, and that new technologies always have issues. The real risk comes not with the technology itself, but with the profligate degeneracy of those who abuse their positions.