The watered sprinkler – Ethereum’s protocol Aave has been at the centre of attention for several days. Indeed, the hacker responsible for the Mango Market attack appears to have targeted the lending giant. Let’s revisit this case and its various twists together.
Avaraham Eisenberg: the Mango Markets hacker
The Mango Markets protocol running on the Solana blockchain was the target of an attack on October 12. The attacker successfully syphoned more than $100 million from the protocol’s pools.
Twitter user answering to the pseudonym @Avi eisen quickly claimed responsibility for the attack. He then described the manoeuvre as an “extremely lucrative trading maneuver.”
Subsequently, this individual remade the narrative about him by asserting that an attack comparable to that of Mango Markets could be launched against the Aave protocol.
“I’ve been informed that Aave is completely secure, so here is a possible trading strategy. This is not financial or legal advice, but feel free to tip if you make nine figures with this strategy.
Approximately one month after this publication, it appears that Avi Eisen has decided to adopt his method.
The objective of the attack is to reduce the cost of the CRV.
Avi’s manoeuvre began on November 22. On the Aave protocol, he borrowed 20 million CRV tokens ($9.9 million). This loan was granted using USDC as collateral.
Its purpose is to reduce the price of CRV in order to short the asset.Avi transferred 10 million borrowed CRVs to the OKEx platform in order to massively resell them.
This selling drove the token’s price from $0.625 to $0.464, as reported by @Lookonchain.
Details of Avi’s short squeeze – Source: Twitter
In practice, Avi’s strategy appears straightforward: drive the CRV price down and maintain a short position to profit from the decline, while leaving Aave with massive debt.
A Losing approach
Nonetheless, the technique will not have produced the desired results. Avi’s position, which was jeopardised by the destruction of the CRV, could be eliminated by the protocol. As a result, the attacker was unable to profit from his short position, and the protocol liquidated his collateral.
Nevertheless, Aave is not indifferent to the situation. Thus, the strategy nevertheless resulted in a bad debt of $1,300,000, as disclosed by Gauntlet.
“The CRV short squeeze attempt on Aave failed and was unprofitable. Despite this, Aave has accumulated an insolvent position. »
Aave will need to find a way to cover these losses, despite the fact that the situation did not result in insolvent debt like it did for Mango Markets.
First, Gauntlet implemented a governance proposal aimed at mitigating this vector of attack.
In practice, Gauntlet offers to freeze a number of Aave v2 assets until v3 is deployed in order to mitigate risk. YFI, CRV, ZRX, MANA, 1inch, BAT, sUSD, ENJ, GUSD, AMPL, RAI, USDP, LUSD, xSUSHI, DPI, renFIL, and MKR are affected by this freeze. These assets were chosen because of their low liquidity.
Gleichzeitig bietet es an accelerated deployment of Aave version 3, which implements a number of additional security mechanisms.
On the side of the debt that was incurred, several methods could be used to repay it. As highlighted by @MoneySupply, the protocol’s DAO could consider using the reserves to cover the debt as a first step.
“At the current high utilization rate, reserves are actually growing faster than bad debts – reserves would catch up with bad debts in ~24 days at current rates. »
As a second step, Gauntlet would consider utilising funds from its insolvency reimbursement program, which was introduced in September of last year.
The DAO could finally decide to utilise its security module. As a reminder, this is closely related to the protocol’s AAVE token staking program.
“In the event of a deficit, part of the blocked AAVEs are auctioned on the market to be sold against the assets necessary to mitigate the observed deficit. »
But moving forward, decisions regarding how to proceed will be made in a decentralised manner thanks to the governance of the protocol.
At the same time, the third version of the Aave protocol is only a few weeks away from being deployed. This will result in a great deal of change, particularly in regards to the management of risks and security.
