The $23 million hack of Resolv’s stablecoin USR has led to contagion across the DeFi sector.
Opportunistic traders used de-pegged USR to borrow against, draining liquidity in more than a dozen yield vaults.
To make matters worse, so-called “risk curators” automatically allocated more money to broken markets when interest rates on loans rose.
In November, a similar contagion hit DeFi’s “curated” vault ecosystem after Stream Finance announced a $93 million loss, leading to a 75% xUSD loss.
Despite discussions about risk assessments and trustees putting in the first loss capital, it seems that not much has been learned after the chaos.
Read more: Four months later, MEV Capital falls victim to a $4 billion DeFi serial chain implosion
The hack
The Resolv Labs statement confirmed that a private key compromise led to the unauthorized (and unlimited) “minting of approximately $80 million in uncollateralized USR.”
USR’s pre-hack token offering remains fully hedged, with losses coming from liquidity providers (LPs) on decentralized exchanges when the hacker sold the minted tokens. For example, LPs on Curve Finance alone are estimated to have lost $17 million.
The hacker selloff caused the USR to depeg, which is currently trading at $0.23, according to data from CoinMarketCap. Blockchain security company Beosin estimates the attacker’s profit at 11,409 ether ($ETH), worth over $23 million at the time of writing.
The Resolv team was criticized for slow response time in collecting the necessary multisig signatures to pause the protocol.
It has contacted the operator in the chain and requested a refund of 90% of the converted amounts $ETHas well as the remaining USR.
Read more: The Venus Protocol hacker lost $4.7 million after nine months of planning
The consequences
The hack may have been simple, but the knock-on effects were anything but.
Depegged USR was preyed upon by opportunistic traders who used it to drain the yield vaults with hardcoded price oracles. By purchasing cheap USR to use as collateral, users could borrow other assets, such as USDC, as if USR were still worth $1.
Read more: Oracle error adds to turmoil at DeFi giant Aave
As if things weren’t bad enough, ‘risk curators’ automated strategies then allocated even more money to the affected markets, whose high usage had boosted offering yields.
Omer Goldberg of Chaos Labs explained how Morpho’s Public Allocator feature enabled curators “including Gauntlet, re7, kpk and 9summits” to automatically allocate millions of dollars of assets to markets “based on pre-configured and approved ceilings and credit lines.”
In some cases, Goldberg says, assignments to broken vaults took hours.
However, the chaos also brought innovation, as the automatic allocations were even specifically intended to free up additional liquidity. Enterprising competitors Obsidian also took advantage of the incident by offering a migration service to users whose deposits are stuck in illiquid Morpho vaults.
Assessing the damage
Morpho’s Paul Frambot counted 15 affected vaults with USR exposure of more than $10,000.
According to security researcher Weilin Li, curators of the affected vaults, on Morpho and elsewhere, include Gauntlet, Re7, MEV Capital, Extrafi, Seamless, August, Clearstar, kpk, Leyrock and 9Summits.
For those who followed the November collapse, many of these names will be familiar.
Yearn, whose contributors were among the fiercest critics of the interest rate vaults that led to the November crash, suffered a minimum loss of $377.
Ironically (or tellingly), Resolv’s own risk manager, Steakhouse, was not exposed to USR, despite the fact that Resolv “operationally demonstrated institutional rigor” five days before the hack.
The backing of Inverse Finance’s DOLA stablecoin was indirectly exposed to USR’s depth, with the team pledging to close the $340,000 gap.
A number of credit markets have shut down the USR markets, including Venus Protocol, which itself was hacked last weekend, and Lista.
Fluid was the hardest hit and may have accumulated up to $17.5 million in bad debt. However, the team assured users that it had “taken out short-term loans to cover 100% of bad debts.”
It is also considering selling FLUID tokens “should additional funds be needed.”
After a difficult few months for top dog lending protocol Aave, with board drama and an oracular accident, Stani Kulechov of Aave Labs was keen to draw attention to Aave’s lack of fame.
DeFi daisy chain
The web of platforms affected by the compromise of a single private key is a stark reminder of how one of DeFi’s most important innovations, interoperability, is a double-edged sword.
Automated allocation can optimize returns under normal circumstances, but when something breaks, which often happens in DeFi, unintended behavior follows.
Without its own resources, the current setup encourages ‘evil game theory pushing’ [curators] to seek more risk.”
This latest installment once again calls for curators to play a role in the game. One approach is to transcribe deposits, where trustees will be the first to suffer if their risk is improperly ‘curated’.