DeFi Herald: TVL exceeded $50 billion, and Yearn Finance lost $1.4 million

The decentralized finance (DeFi) sector continues to attract increased attention from cryptocurrency investors. ForkLog has collected the most important events and news of recent weeks in a digest.

Key indicators of the DeFi segment

The volume of locked funds (TVL) in DeFi protocols increased to $51.5 billion. The leader was Lido with $20.7 billion, while the second and third places in the ranking were held by Maker ($8.4 billion) and JustLend ($6.5 billion), respectively.

Data: DeFi Llama.

TVL in Ethereum applications grew to $28.4 billion. Trading volume on decentralized exchanges (DEX) over the past 30 days was $77.1 billion.

Uniswap continues to dominate the non-custodial exchange market, accounting for 55.7% of total turnover. The second DEX by trading volume is PancakeSwap (15.1%), the third is Trader Joe (8%).

OKX DEX lost $2.76 million as a result of hacking

Decentralized exchange OKX suffered a $2.76 million exploit due to an alleged leak of the proxy administrator's private key. PeckShield experts estimated the damage at this amount.

According to SlowMist analysis, when exchanging on the platform, users authorize the TokenApprove contract, which then transfers the user's tokens.

The ClaimTokens feature allows a trusted DEX proxy to make a call to it. In this case, the servers are managed by administrators who can independently make changes to the smart contract.

On December 12, the owner of one of the servers updated it, which made it possible to directly call ClaimTokens to transfer user tokens. The attacker used this exploit.

Yearn Finance lost $1.4 million due to a transaction error

As a result of a “wrong scenario” multi-sig transaction, DeFi protocol Yearn Finance lost 63% of treasury funds in the Lp yCRV pool.

The incident occurred during the «normal fee token conversion process» and resulted in the exchange of 3,794,894 yCRV for 779,958 yvDAI. The team clarified that the losses amounted to $1.4 million.

Liquid staking token yCRV presents CRV coin from Curve in the protocol pool. The project invests funds into the structure to support liquidity and receives income in the form of commissions.

However, due to a glitch in the exchange script, all treasury funds in one of the protocol's largest pools were sent to the DEX CoW Swap. The transaction caused significant price slippage, which “was taken advantage of by arbitrageurs and other market participants.”

The developers explained that the erroneous transfer of the entire Yearn Finance balance in the pool was one of 30 orders made through a multi-sig transaction. This made it difficult to manually control, and the commission exchange script “did not have sufficient output checks and contained a logical error” in limiting the size of the swap.

To prevent such incidents, Yearn Finance has taken a number of precautions, including:

dividing treasury funds in the pool into contracts with individual managers; introduction of more easily readable output messages in trading scripts; tightening price impact thresholds.

DeFi project SafeMoon filed for bankruptcy

On December 14, SafeMoon lawyer Mark Rose filed for bankruptcy of the DeFi project. The SFM token reacted with a sharp decline.

Chapter 7 U.S. Bankruptcy Code filings filed in Utah County Court. SafeMoon US LLC estimated its assets to range from $10 million to $50 million and its liabilities to range from $100,001 to $500,000.

Amid the news, the SFM token fell to $0.000055. Over the past week, the coin has lost 22.4%, according to CoinGecko.

Hourly chart of SFM/USDT exchange Data: TradingView.

Nirvana Finance hacker agrees to return $12.3 million

The hacker responsible for hacking the Nirvana Finance yield farming protocol and an unnamed DEX has pleaded guilty and agreed to forfeiture of $12.3 million in stolen assets.

According to the US Attorney's Office, in the summer of 2022, 34-year-old senior security engineer Shakib Ahmed exploited a vulnerability in the smart contract of an unnamed exchange.

A few weeks later, he attacked Nirvana Finance using an instant loan and withdrew $3.49 million in cryptocurrencies from the project’s treasury.. Although the protocol developers offered the hacker a reward, the parties never reached an agreement.. The attacker exchanged the stolen funds for Monero and passed them through the Samourai Whirlpool mixer.

In July, Ahmed was charged with wire fraud and money laundering.. In addition to the confiscation of the stolen cryptocurrency, he was ordered to pay compensation to the victims in the amount of $5 million.

The final verdict in the case will be delivered on March 13, 2024. Ahmed faces up to five years in prison.

Also on ForkLog:

Coinbase listed a token from the Base network for the first time. DEX Uniswap launched on the Rootstock Bitcoin sidechain. The court dropped the criminal prosecution of the Platypus Finance hacker.