Never a dull day indeed.
Today was among the busiest in recent DeFi memory, featuring a hack worth eight figures, a token dump worth upwards of eleven from none other than Ethereum co-founder Vitalik Buterin himself, a significant update on institutional adoption from Aave, and a proposal on Uniswap’s governance forums to turn $UNI into a governance token — a proposal once again courtesy of Vitalik. Rapid reactions, roughly in chronological order (assuming my memory isn’t totally fried from today):
Aave announces permissioned institutional trial pool
As first reported by Cointelegraph earlier today, Aave currently has a private test pool with institutional investors who are trying out DeFi.
I had the distinct pleasure of chatting with Ajit Tripathi, the head of institutional business development for Aave (who is also an excellent Twitter follow BTW) about the initiative earlier this morning. The key quote from him is that the test pool is in an “advanced” state, and will likely be live and ready for production as a permissioned market with KYC/AML features soon.
The news set off a flurry of debate in the DeFi community about whether or not institutions and their legal needs — specifically, those KYC and AML barriers — are ideologically and technically compatible with DeFi.
Pandering to institutions will kill this movement, mark my words. https://t.co/7AQTFcQD0P
— señor doggo 🚙 in a 2007 Kia Sedona 🚙 (@fubuloubu) May 12, 2021
Here’s the reality: in the short term, institutions dipping their toes in will inevitably be a boon for the space. More liquidity, more adoption, more users, more money floating around to fund your favorite projects staffed with wildly ambitious teenagers. Take their cash, their positive press, and shake them down for whatever they’ll give.
In the long term, their walled gardens will ultimately be a historical blip. Permissioned pools will be slower, less agile, and have less liquidity than the wider space — they’re doomed to fail. This is a first step towards the institutions eventually embracing participation in fully decentralized systems, which is the inevitable endgame.
If that take makes me a bootlicker pandering to our CeFi overlords, so be it. The jokes at my expense have been good at least:
Choke me daddy https://t.co/QpRVMU9bcH
— banteg (@bantg) May 12, 2021
xToken gets exploited
One of the most promising projects in the space was exploited for upwards of $25 million this morning. While the nature of the exploit was complex — effectively merging and leveraging two attacks into one — there’s some argument that simple steps could have mitigated the problem.
xSNXa and xBNTa contracts have been exploited. Minting paused on all contracts as we investigate further.
Liquidity pools have been drained, however most SNX and BNT remain in xToken contracts.
We owe the community an explanation and will be providing another update shortly
— xToken (@xtokenmarket) May 12, 2021
xToken allows users to hold interest-bearing derivatives of core assets like Aave and SNX that require some form of staking and/or governance or protocol participation in order to access their full value. The design is clever, even allowing users to select risk appetite or governance participation philosophy as options — much more nuanced than your standard “index” or “easy” product.
However, the trade between the synthetic or derivative tokens and their parents is partly to blame for the exploit this morning.
Per whitehat hacker Emiliano Bonassi, the attacker manipulated the Kyber dex marketplace while also simultaneously taking advantage of how xToken calculates the price of their x-token derivatives. As he told me on Twitter, the attacket effectively put “two exploits” into a single transaction:
So the problem is that the undervaluing is related to get the price on the amount exchanged on Kyber which is low because of the flood of SNX borrowed from Aave and dumped on Uniswap (connected via private reserve to Kyber)
— Ξmiliano Bonassi | Ξmiliano.eth (@emilianobonassi) May 12, 2021
It’s becoming increasingly clear that using a single DEX as an oracle is irresponsible without some form of time-weighted average price calculation involved, which mitigates the effects of flash loans intended to throw of DEX prices.
Products like xToken are important for tax efficiency and low-effort participation; here’s hoping they recover.