Welcome back to Inside DeFi
Aave, DeFiâs largest protocol, has finally voted on the long-awaited Aave Will Win proposal from founder Stani Kulechovâs Aave Labs. Guess who won.
This weekâs issue also rounds up some of the weekâs security news, including a hack with unintended upsides, a review of ZK proof security, and more.
Aave vote sees service providers sour
To no-oneâs surprise, Aave Labs won last weekendâs vote on the Aave Will Win Framework proposal.
The Snapshot vote passed narrowly, with 52.6% in favor. Overall, just shy of 1.2 million tokens were used for voting, less than 8% of AAVEâs circulating supply, which seems surprising for such a high-stakes decision.
Following the win, Stani Kulechov took to X to promise âstructural improvements for the ARFC stage based on community feedback.â However, replies were restricted.
Governance delegate Marc Zeller of ACI wasnât happy with the result.
Reflecting on the results, he points to three Labs-linked whale addresses which swung the vote: âThe community rejected the proposal. Labs overrode it on their own $51 million budget request.â
The following day, ACI announced its decision to leave Aave, following in the footsteps of developers BGD Labs.
The forum post reasons âthere is no role for an independent service provider in an environment where the largest budget recipient holds undisclosed voting power and uses it on its own proposals.â
Kulechov paid tribute to Zellerâs impact on Aave which he called âwell documented and widely felt,â before assuring users that the protocol and incentives are back to business as usual.
Despite months of DAO drama, Aaveâs in/outflows remain unaffected, even when the AAVE price is bleeding compared to competitor Morpho.
A donation attack has its upsides
The sDOLA/crvUSD market on LlamaLend, the lending arm of Curve Finance, was hit by a so-called donation attack.
After initial suspicions that Inverse Financeâs contract was the target, founder Nour Haridy set the record straight, pointing instead to the 14% bonus enjoyed by sDOLA holders.
Curveâs investigation stated that the exploit relied on the âcombination of which price oracle is used for sDOLA⌠vs how much sDOLA existed outside of collateral in this market.â A more detailed analysis can be found here.
As well as a bump for sDOLA holders, the buy pressure from liquidation repegged crvUSD, after around a month under peg.
Curve says it would have paid the attacker more as a bounty if theyâd disclosed the bug than they made by exploiting it.
ZK ainât EZ
A pair of zero-knowledge proof (ZKP) exploits from recent weeks prompted a security review of Groth16 verifiers.
The report states that simpler bugs (such as the incorrect setup exploited in both cases) were missed while developers concentrated on the complex codebases associated with ZKP protocols.
The projects affected, Veil.Cash and Foom.Cash, were exploited for around $10,000 and $2.26 million, respectively. Though the majority of funds were returned to the latter project by whitehat hackers, including Decurity, who carried out the exploit.
ElsewhereâŚ
A scare over Lidoâs wstETH bridge to ZKsync led the project to close the bridge to new deposits on Tuesday. A fix will be audited and deployed in the ânext scheduled on-chain Lido governance omnibus vote⌠after which deposits will resume.â
OpenZeppelin audited Paradigm and OpenAIâs EVMbench, covered in a prior edition.
The report highlighted âmethodological flawsâ accusing the model of relying on âpattern matchingâ of known bugs, rather than aiming to discover novel vulnerabilities.
It also criticized âinvalid vulnerability classifications including at least four issues labeled high severity that are not exploitable in practice.â
The post describes a âstructural problemâ in that publicly available training data âoften includes disputes, invalid issues, and inconsistent quality.â Without âexpert curation,â models will inevitably inherit that ânoise,â leading to âhigher false-positive rates, misleading benchmarks, and security tools that look good on paper but underperform where it counts.â
Thursday saw Solv Protocol exploited for $2.7 million. Decurity explained that a âdouble-minting flawâ allowed an attacker to loop 22 burn-mint transactions âturning 135 BRO into 567M BRO.â The tokens were then swapped for 38 SolvBTC⌠bro.
Solv Protocol later acknowledged the incident, stating that the affected users, who number less than 10, would have losses reimbursed.
Security researcher and developer storming0x claimed that OpenAIâs coding assistant Codex was able to spot the vulnerability âin two minutes flat, with simple prompt and skills, without any additional context.â
â Jake Harrison
Source: https://protos.com/inside-defi-007-%F0%9F%92%AD-aave-labs-in-charge-aci-reaches-breaking-point/
