Curve exploit shows DeFi still far from decentralized in 2023

When Terra LUNA, Celsius, Voyager, Three Arrows, FTX, and other centralized platforms collapsed in 2022, many predicted a renaissance of DeFi in 2023.

DeFi proponents predicted that harmed retail investors would opt for so-called trustless and permissionless platforms. Instead of depositing funds into a centralized exchange, DeFi would allow users to lend, borrow, farm, swap, and use various financial strategies using smart contracts.

That was the promise. In reality, most DeFi is just as centralized as traditional finance. A disturbing number of insiders are exploiting DeFi vulnerabilties using privileged, centralized powers.

Everyone thought it would be better to disintermediate centralized companies like FTX. However, DeFi is having a rough 2023.

Centralization and hacks have plagued DeFi in 2023

A DeFi founder might cause trouble by using a large quantity of a token’s circulating supply to fund the purchase of, for example, a mansion.

DeFi founder Michael Egorov offloaded 39 million of his Curve (CRV) tokens via over-the-counter transactions, including 5 million CRV to Justin Sun, to avoid a bank repossession of his mansion. Egorov allegedly took out a $100 million loan from another DeFi giant Aave, collateralized with $175 million in CRV, to buy the mansion.

Avon Court in Melbourne, Australia features nine bedrooms and seven kitchens, including an 18-seat teppanyaki kitchen (via The Block).

More recently, somebody exploited DeFi-related smart contracts using the Vyper programming language. Through this single attack vector, DeFi protocols Curve lost $61 million, AlchemixFi lost $13 million, and JPEG’d lost $11 million.

Other DeFi protocols have been hacked for over $67 billion.

• EraLend paused operations after an exploit that resulted in $3.4 million lost.
• Conic Finance suffered at least two rapid-fire exploits that resulted in a loss of more than $4 million.
• Platypus Finance and Rodeo Finance also suffered multiple hacks.
• The SwapRum decentralized exchange rug pulled, making off with $3 million.
• DeFi yield aggregator Kannagi Finance did exactly that, stealing $2 million in assets deposited on its platform.
• DeFiLabs also rug pulled for $1.6 million.
• Merlin DEX blamed “rogue developers” for a $1.82 million exploit. However, followers suspected a rug pull.
• Umami Finance halted yields and its CEO dumped enough UMAMI tokens to tank its price amid accusations of a rug pull.

Theatrical governance votes

Typically, a small group of voters control governance of so-called decentralized autonomous organizations (DAOs). Founding developers of Party Parrot exploited a vote to give themselves 80% of the proceeds from its Initial DEX Offering.

Aragorn DAO stirred up a considerable amount of controversy with its attempt to ignore the results of a vote and ban members who asked questions on its Discord channel. It partially backtracked but maintained that the previously banned members had conducted a coordinated harassment campaign.

DeFi giant Multichain also collapsed after a calamitous series of misbehavior by insiders. Chinese law enforcement officials arrested its CEO and his sister. Multichain claims it lost $131 million in an exploit, and that the CEO’s sister transferred $107 million out of the platform to protect it. Some people suspected that the thefts might have been inside jobs.

DeFi is prone to exploits, rug pulls, inside jobs, thefts, and decentralization theater. Most DAOs are heavily weighted toward large stakeholders. Many DeFi apps are also vulnerable to attention from regulators and the judicial system. The ability to steal funds or shut down at the first sign of trouble can be taken as a sign that DeFi is not as decentralized as it claims to be.