A 99.93% loss, and are DAOs done?

Welcome back to Inside DeFi

Today’s edition looks at a gung-ho swap which lost the user almost $50 million. It seems multiple warnings can’t save the kind of madman who’s prepared to swap such size from a mobile-based hot wallet.

We also take a look into the move away from DAOs, and finish up with some short snippets from the security space.

Technical difficulties in the Aave sphere

On Thursday, one spectacularly unlucky (or gung-ho) user took a 99.93% loss on a low liquidity $50 million trade.

They swapped $50 million of (Aave-wrapped) USDT to just $35,000 of (Aave-wrapped) AAVE. The trade was made via Aave’s controversial CoW Swap integration which kicked off a months-long governance battle in December.

Read more: Aave Labs faces backlash over CoW Swap integration

That said, swapping such a large sum in a single transaction, apparently from a phone, and after having accepted price impact warnings, doesn’t exactly scream “bulletproof opsec practices.”

While both CoW Swap and Aave have pledged to return the fees, it’s a very small dent in an enormous loss.

Aave founder Stani Kulechov detailed the UI warnings the user ignored, but recognized the result was “far from optimal.”

He also admits the industry needs “additional guardrails… to better protect users.”

Justifying why such swaps aren’t blocked, CoW Swap said, “Preventing users from making trades… can lead to terrible outcomes in some situations (e.g. a market crash).”

Former governance delegate Marc Zeller was quick to rub some salt in the wound. He also pointed out that the loss wouldn’t be possible on the previous swap tool, which Aave Labs replaced.

Read more: Across Protocol accused of looting DAO treasury of $23M

It’s clear who the loser is in this debacle – the one who lost $49,965,000. But the big winners were the MEV bot backrunning the trade and Titan Builder, which apparently made a total of $34 million in tips, sent straight to Coinbase.

The loss wasn’t the only technical glitch in the Aave-sphere this week. Almost $27 million was liquidated the day before due to a faulty update of Chaos Labs’ Correlated Asset Price Oracle.

Are DAOs done?

Now that Aave Labs has flexed its voting power over the DAO, others are taking note.

Across Protocol has proposed ditching the DAO, in favor of a “US C‑corp, via a token-to-equity exchange and token buyout.”

The thinking is that a change in governance will lead to “clearer accountability, faster execution, and a structure that can scale ops, partnerships, and product development over time.”

Co-founder Hart Lambur said “tokens are undervalued and underappreciated… the reality for Across is that having a token generally hurts more than it helps.”

The post goes on to state that the firm’s future focus will be stablecoins and “agentic payments.”

While others are rushing to tokenize equity, Across seems keen on doing quite the opposite.

Sky, formerly Maker DAO, is another (not so explicit) example of centralizing governance, albeit over a longer timeframe.

While some lament the perceived capture of one of DeFi’s longest-established DAOs, it seems to be working for the protocol, economically speaking.

Revenue within each DeFi vertical is concentrated into just one or two winners, as DeFiLlama’s 0xngmi points out. Many of those getting left behind are dropping like flies, or being forced to make tough decisions.

Read more: Across Protocol accused of looting DAO treasury of $23M

The chart comes from an article by Joel John of Decentralisedco, and questions the purpose of tokens. It notes that, while DeFi revenues have grown enormously, “most protocols lack a mechanism to return value to token holders.”

To be useful to holders, tokens must provide “claims to economic activity and the ability to guide governance.”

In cases where one or both of these aren’t in the interests of those holding sway over governance power, we may see more projects tearing off the DAO mask in the weeks and months to come.

Security snippets

A bite sized breakdown of some of the week’s security news.

The ongoing wave of front-end attacks continued to hit popular DeFi projects’ websites this week. Lending protocol Compound Finance and Solana memecoin launchpad BONK.fun were both affected.

No losses were found in relation to the former, while Bubblemaps found $20,000 was lost to the latter.

A SlowMist security researcher, who goes by “23pds,” shared a deep dive into a (possibly North Korean) campaign targeting a range of crypto companies’ supply chains, “from staking platforms, to exchange software providers, to the exchanges themselves.”

The hackers were successful in “exfiltrating proprietary exchange software containing hardcoded secrets.”

Security firm Cantina’s CEO, Hari Mulackal, examined the pressures facing the crowdsourced security model. He says security researchers, customers, and platforms all “hate it.”

In addition to problems with subjective bug severity and costs, Mulackal cites AI, which is “starting to be genuinely useful at finding bugs,” as a growing threat.

To combat endless submissions of slop bounty reports, a staking/penalty system or charge to submit bugs may provide reviewers some respite.

The post came in response to a security researcher’s claim that they “Lost $120K + 1st Place to an AI.”

Read more: DeFi, meet Claude: Moonwell’s ‘vibe-coded’ oracle in $1.8M blowup

Cosmos Labs published an investigation into the root cause of January’s $7 million hack of SagaEVM. The vulnerability was found to affect a number of chains built on the Cosmos EVM stack, specifically those which had used the “ICS20 precompile.”

The report explains that, “under certain execution conditions,” the vulnerability “could allow repeated use of the same token balance within a single transaction.” Affected networks were advised to disable the vulnerable precompile before a permanent fix was deployed.

A price cap oracle mishap saw $27 million in wstETH liquidated on Aave on Tuesday. While the incident isn’t exactly a blackhat exploit, more a failure of Chaos Labs’ code, oracle attacks have seen a recent uptick.

To finish off, in the latest installment of AI behaving badly, one of Alibaba’s research AIs allegedly cryptojacked itself.

The agent broke out of the “bounds of the intended sandbox,” triggering security alerts.

It had hijacked GPU capacity assigned for its own training, repurposing the compute to mine cryptocurrency.

— Jake Harrison