Reviewing the Curve "governance attack" incident, the stablecoin USDM team stole 30 million dollars

Author: Chen Zou, BitpushNews

On Thursday, Charlie_eth, a core member of the Curve Emergency DAO, posted a message regarding the abnormal fluctuations in the price of CVX, which drew the attention of the DAO. It was ultimately discovered that this was a "governance attack" initiated by the USDM stablecoin protocol, Mochi protocol.

According to the official white paper of Mochi, the project is a self-managed decentralized stablecoin protocol that still uses over-collateralization (collateral value > loaned asset value), allowing for the listing of collateral assets based on specific conditions without barriers. Mochi users can mint USDM stablecoins using the listed collateral through the Mochi Vault smart contract.

In this attack, Mochi exploited governance vulnerabilities in its own protocol, Curve, and the Curve yield aggregator Convex to execute this "governance attack."

On November 10, Mochi launched its governance token MOCHI INU and incentivized the liquidity of its USDM stablecoin. The Mochi project team used a large amount of Mochi they held to mint a significant amount of USDM, then exchanged a large amount of it for Dai on Curve, but the project team still chose not to cash out immediately, instead using Dai to purchase a large amount of Convex governance tokens CVX (about 6000 ETH, 28 million USD). This step was quite clever, even attracting the attention of many CVX holders.

To understand why the Mochi project team went to such lengths to convert all their assets into CVX, one needs to understand the role of CVX.

Convex Finance is a "one-stop platform for CRV staking and liquidity mining" dedicated to simplifying the use of Curve, essentially a yield aggregator on the Ethereum chain, and CVX is its on-chain governance token. This token can be used to vote on proposals that determine the rewards for CRV holders and liquidity providers. Originally intended to promote the development of the CRV ecosystem, it became a tool for Mochi to complete the "governance attack."

Next, the Mochi project team used the large amount of CVX they held to vote and successfully increased the yield of the liquidity mining pools (distribution of CRV rewards), thereby attracting more liquidity providers to participate until the pool reached 100 million USD in liquidity. The project team felt it was time to harvest, so they chose to exchange Mochi for USDM and ultimately convert it to DAI, cashing out directly. It is estimated that about 46M USDM was exchanged for DAI, amounting to about 30 million USD. This was just the profit for the project team; considering the significant trading fees, slippage, and other losses, the miners' losses could far exceed this figure. According to sources, a Chinese investor known as "mining penguin" lost nearly 5 million USD in this harvesting.

The emergence of Curve solved the anchoring and slippage issues of stablecoins, leading to the creation of various stablecoins. Curve adjusts its weights weekly, and the locked veCRV determines CRV liquidity. Most CRV in the market is locked, with an average lock-up time exceeding 3 years, while Convex controls about 40% of the veCRV. From these data, it can be seen that most of the liquidity rewards for CRV are given to Convex, so one can obtain CRV shares through Convex. The three tokens and reward plans designed by Curve are quite complex, and Convex allows users to stake and claim CRV. Although Convex is merely a vertical asset management protocol for Curve, the locked veCRV amount staked in Convex far exceeds that of yEarn.

As a remedial measure, Curve Finance has completely shut down the USDM gauge, immediately stopping the receipt of CRV output to avoid larger losses.

Andre Cronje, the founder of Yearn Finance, called it "an amazing scam."

Interestingly, the Mochi Inu project team disclosed all the nested operations but did not respond to Curve's closure of its reward pool.

According to Coinmarketcap data, Mochi Inu's value plummeted, with a daily decline of 55.59%, currently priced at 0.00002627 USD, but it has not gone to zero.