Finance Redefined: DeFi gets its first merger after a devastating hack, Nov. 18–25

Published at: Nov. 26, 2020

Finance Redefined is Cointelegraph’s weekly DeFi-centric newsletter, delivered to subscribers every Wednesday.

On Saturday, we saw one of the most complex smart contract hacks yet affecting Pickle Finance, a yield optimization protocol very similar to Yearn — an important point for later.

PeckShield provided a technical explanation for it, but I think only Solidity developers can really understand it.

The high-level take is that the hacker found two textbook examples of code vulnerabilities in the “pickle jars” — the protocol’s term for yield strategy contracts. One was failure to check if the jar is actually supported, which resulted in the hacker deploying an “evil jar” that the system believed to be legitimate. The other flaw was a “remote” code execution vulnerability that allowed the hacker’s contract to call functions as if it were the Pickle administrator contract.

The hacker basically just instructed the smart contract to give them all the money it held. The loot is the entirety of the affected Dai jar, worth about $20 million.

A few developers including Banteg, a core Yearn team member, assisted the Pickle team in triaging the vulnerability. Not that there was much that could be done — the money was gone, and this hacker was not so gracious as to return money to “nurses” affected by the hack.

This was perhaps the first high-profile usage of DeFi insurance. Cover Protocol, which provided some Pickle users with coverage in case of disastrous events like this, paid out $320,000 worth of claims in full after a five-day deliberation.

The first merger, or should we say vassalization?

Fast forward to Tuesday, when Andre Cronje, Yearn’s founder, publishes a plan of how Pickle Finance and Yearn will now have a “symbiotic relationship.”

In essence, Pickle’s yield-farming strategies are going to become Yearn’s. Its developers will publish them on the Yearn platform and earn the 10% performance fee reward, just like any other strategy developer. In general, the Pickle team will benefit from the Yearn team’s technical expertise.

For Yearn users, this symbiosis brings with it some monetary and governance benefits. They will be able to put their vault tokens — which represent their share of a yield-farming strategy fund — into a Pickle gauge. In doing so, they will earn DILL, Pickle’s newly established voting token. Further rewards coming from Pickle are also planned, while users affected by the hack will eventually be reimbursed through a scheme involving another token called CORNICHON.

If any of you ever played Crusader Kings 2 (a strategy game where you lead a state in the Middle Ages), this seems quite similar to the strategy of willingly becoming some large empire’s vassal to receive protection from a bigger enemy.

The two ecosystems will be effectively merged, with Yearn users receiving a stake in Pickle but not the other way around. Nonetheless, some Yearn community members expressed dissent over what seems like a unilateral decision by the development team to absorb another protocol.

On the face of it, this would look like the exact type of thing token holders should have a say in. In response, another Yearn core member, Tracheopteryx, raised an important point about the process: There is (almost) no action required from Yearn.

Vaults are already permissionless, so the Pickle team could’ve developed strategies on Yearn at any point. The additional tokens and gauges are all going to be implemented on Pickle’s side — again, they could’ve done it themselves earlier.

I would still expect this to at least subtract some resources from Yearn for integration and auditing, but the holders did delegate major operational decisions to the core team in an earlier vote.

The ease of the merger is a powerful testament to the composability and freedom of DeFi, perhaps the “good example” when compared to SushiSwap’s birth as a Uniswap parasite. But we should also be aware of the power dynamics of it all — I wouldn’t want DeFi to look like my Crusader Kings games.

Further developments this week

Money on Chain launches TEX, a unique twist on the concept of a decentralized exchange inspired by gold markets.Mooniswap and 1inch pledged to launch the AMM protocol on NEAR to take advantage of its sharded blockchain.dHedge receives $1.1 million capital injection to power its “decentralized hedge fund.”
Tags
Related Posts
Finance Redefined: One hack to bring down a whole market, Feb 10–17
Finance Redefined is Cointelegraph's DeFi-centric newsletter, delivered to subscribers every Wednesday. The Alpha Homora and Cream Finance hack has made a gigantic mark in the DeFi space this week. It is the largest single hack in DeFi history at $37 million in funds stolen. It is also one of the most complex, apparently leveraging several honest-to-God vulnerabilities in Alpha Homora. A few missing input checks in very specialized conditions allowed the hacker to abuse Alpha Homora’s privilege of borrowing an unlimited amount of funds from Cream Finance’s Iron Bank. Flash loans were of course involved, but unlike some previous hacks …
Technology / Feb. 18, 2021
Yearn.Finance puts expanded treasury to use by repaying victims of $11M hack
Major decentralized finance protocol Yearn.Finance (YFI) has restored its yDAI vault in the aftermath of a $11 million exploit by hackers. Yearn announced Tuesday that they opened a Maker vault with YFI tokens from the treasury and minted 9.7 million DAI tokens from the vault to keep the yDAI vault intact. Using borrowed money allows the project to reimburse users without taking a hit to the treasury, either due to possible YFI appreciation or by gradually repaying the debt with protocol revenue. The team said that this is a one-off occurrence, as they expect users to hedge their own risks …
Technology / Feb. 9, 2021
Finance Redefined: You get hacked, they get hacked, everyone gets hacked, Nov. 11–18
If people actually used insurance against hacks, this week would definitely have bankrupted a great many insurers. In the span of one week, a total of four flash loan-enabled exploits were registered (one actually happened the week before, but wasn’t noticed until later). We have, in order, Cheese Bank with a $3.3 million theft, Akropolis with its $2 million loss, Value DeFi with a whopping $6 million exploit and finally Origin Protocol’s loss of $7 million. In total, the hackers stole $18.3 million, which admittedly, is not that much — less than the single October exploit of Harvest Finance. As …
Technology / Nov. 19, 2020
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023