The latest salvo in the multibillion-dollar “Curve Wars” might be the most daring yet, and the protocol’s response has revealed deep ideological fissures in the decentralized finance (DeFi) community.
Curve.Finance is the largest DeFi protocol with $20.8 billion in total value locked (TVL), according to CoinGecko. The protocol holds a vital place in the DeFi universe because of its CRV token rewards emissions – a key source of income for multiple other protocols and one of the foundational pillars of a rapidly growing $270 billion market.
On Wednesday night, a young project – meme coin-flavored Mochi Inu – executed a series of transactions that tilted CRV rewards in its favor by using a token-locking mechanism in Convex Finance, a yield farming protocol built on top of Curve.
This jockeying for CRV emission rewards is a common practice among protocols and is often referred to as the “Curve Wars.”
Read More: How Yield Farming on Curve Is Quietly Conquering DeFi
In a Twitter thread Thursday morning, Mochi formally announced themselves as a new player in the Curve Wars, writing that “Curve is the backbone of DeFi, and Convex is the kingmaker of Curve.”
— Mochi Inu (@MochiDeFi) November 11, 2021
Shortly after the transactions, however, the Curve Emergency DAO, a nine-person group using a multi-signature scheme with limited governance powers over CRV reward emissions, cut off Mochi’s rewards, and in a governance forum post, semi-anonymous Curve contributor Charlie wrote that Mochi’s overnight actions were a “clear governance attack.”
In an interview with CoinDesk semi-anonymous Mochi founder AZ, also often referred to as Azeem, said that the Emergency DAO’s security concerns were “reasonable” and that he hopes to address those concerns in the coming weeks.
Nonetheless, the decision from the decentralized autonomous organization, or DAO, has prompted much community debate, as some have argued that the protocol should not single out any one user and that blacklisting another protocol runs against DeFi’s open, permissionless ethos.
In an interview with CoinDesk, Charlie said that the decision to cut off Mochi’s CRV rewards wasn’t made lightly, but that the situation was unique.
“I hate this ‘I need protection’ meme we’ve seen from Gensler,” he said, referring to U.S. Securities and Exchange Commission Chairman Gary Gensler. “Curve definitely doesn’t want to be gatekeepers or protectors, but we gotta draw the line somewhere when it comes to bad behavior. Mochi crossed it seven times over last night.”
Exploitative or exploit?
Regardless of whether Mochi’s maneuvering was an attack or a clever abuse of various DeFi protocols’ utility, the events were a remarkable display of the interconnected nature of the DeFi ecosystem, spanning multiple projects and layered functions.
Curve is a decentralized exchange tool primarily designed for swapping assets that are similar to each other, such as different stablecoins or ETH and its staked derivatives such as stETH. Curve’s liquidity providers are rewarded with CRV, the protocol’s governance token.
At the core of Mochi’s “governance attack” is veCRV – voting escrow Curve, a locked version of CRV that grants holders the ability to vote on “boosting” CRV rewards to certain liquidity pools. Throughout 2021, various protocols have vied to accumulate CRV and lock it as veCRV in order to boost rewards to pools that will benefit them. As a result, locked Curve is a popular metric to track:
#TheLockening🔒Nov. 2-7, 2021
Convex veCRV: 136.58m ( ⬆️🔒2.83m)
608k $CRV 🔄 veCRV today (41.85% of daily emissions)
91.31% of circulating CRV🔒as veCRV
Convex vote-locked CVX: 19.9m (⬆️🔒1.1m)
— DefiMoon 🦇🔊 (@DefiMoon) November 8, 2021
Mochi, a platform similar to asset-backed stablecoin issuers Spell and MakerDAO, gave users incentives to deposit assets in a Curve pool that included USDC, USDT, DAI and Mochi’s native stablecoin USDM leading into Wednesday night’s events, ultimately attracting over $170.2 million in liquidity at its peak, according to Azeem.
A final key cog in the events is Convex Finance. Convex is a protocol designed to maximize CRV rewards, and the protocol is now the largest veCRV holder with 136.58 million tokens, which is more than a third of CRV’s circulating supply. Users who lock Convex’s CVX token have the right to vote proportionally on how the protocol’s tokens are used for boosting the rate of rewards.
On Wednesday night, all of the above protocols and mechanics were on display. A Mochi team member swapped $46 million in USDM for DAI using the Mochi Curve pool, swapped the DAI for ETH and used a large portion of that ETH to purchase massive quantities of CVX, which they then locked.
This would have allowed them to vote on additional CRV rewards for the Mochi pool, which in turn would have attracted additional liquidity, allowing them to swap even more USDM for stablecoins to buy more CVX – ultimately creating a flywheel heavily tilting CRV rewards in their favor and attracting huge sums of liquidity to their platform.
It's crazy to me that this mochi / musd thing could work (as long as cvx is up only)…
Now they have millions in convex votes to direct liquidity to the musd pool
Which means insane yields for LPs there
Which means they can mint more musd for stables to buy more cvx
— DCF GOD (@dcfgod) November 11, 2021
Multiple observers have noted that KeeperDAO, FRAX, Olympus, CREAM and other DAO communities are voting or have voted to pursue similar strategies (if at a smaller scale), but the demands of public governance have slowed them down, and they couldn’t unilaterally move to seize voting power the way Mochi did.
As Mochi’s transactions unfolded, DeFi community members were quick to point out that the young protocol had numerous security and operational flaws, including that the team could arbitrarily print more USDM and that the price oracle for the token – a key piece of infrastructure that is often the target of hackers – was manually set by a team member’s address.
Dug around the mochi contracts and it's comedy gold
– Price oracle for $mochi is literally just a number set by a hot wallet (who needs chainlink lmao)
– The mochi token is upgradeable by a 1-of-3 multisig ("multisig") with no timelock
– The same multisig owns 99.5% of all mochi
— zefram.eth (trois, trois) (@boredGenius) November 11, 2021
Additionally, Azeem is a controversial figure in the DeFi sector. While running the Armor.fi insurance protocol, the developer was accused of personally deciding not to pay a user with a legitimate claim in February. Later that month, following a social engineering attack on an Armor team member that resulted in a $1 million loss, Azeem defended his colleague by saying that the developer was “sleepy and tired,” a phrase that has become widely mocked.
Multiple high-profile DeFi developers criticized Tuesday night’s scheme, with Yearn.Finance founder Andre Cronje referring to the transactions as “amazingly scammy.”
This is amazingly scammy;
1. Be Mochi
2. Incentivize USDM/3pool
3. Get $100mm liquidity
4. Mint free Mochi
5. Use Mochi to mint 46mm USDM
6. Swap USDM to DAI
7. Buy 46mm worth of CVX
8. Use CVX to vote more incentives
9. Liquidity increases more
10. Repeat ad infinitum https://t.co/SU1NwKDOmm
— Andre Cronje 👻 (@AndreCronjeTech) November 11, 2021
In an interview with CoinDesk, Banteg, a pseudonymous Yearn core contributor and one of the nine members of the Curve Emergency DAO, said the flywheel was dangerous given USDM’s dubious backing.
“Internal thinking was around mitigating the feedback loop Andre described when he first drew attention to the issue. With high concentration of votes towards one pool, it could cut into other pools, ultimately hurting Curve [liquidity providers],” Banteg said. “We know for a fact USDM is a worthless collateral. In retrospect, Curve DAO should’ve done a better due diligence on it.”
The Emergency DAO ultimately elected to cut off the Mochi pool’s rewards. At the time of writing, the pool has more than 31 million USDM valued at $0.49 per token and $1.3 million in stablecoins. Banteg noted he wasn’t among the signers on the transaction that ended emissions to Mochi’s pool.
Charlie said that the lack of basic security practices and not Azeem’s reputation led the DAO to take the unprecedented action. This is the first time the Emergency DAO has been invoked.
“I don’t think this Mochi situation is comparable to any other protocol building around Curve. There is a clear pattern of misbehavior and lack of concern for security, best practices and users’ funds,” Charlie said.
“I’m aware [Azeem] hasn’t got the best reputation, but I also don’t know about what happened with those other projects, and I prefer to work with the information I do have.”
Good question. Emergency DAO is a committee which is meant to act fast in emergencies. Decisions of emergency DAO can be reverted by the main DAO. Besides, the emergency DAO is appointed by the main DAO and currently has no team members.https://t.co/5UNUOTUxwX https://t.co/cJvczYhSoC
— Curve Finance (@CurveFinance) November 11, 2021
Azeem told CoinDesk that Mochi will address the security concerns expressed by the Emergency DAO and that the team plans to add “more secure multisig structure with additional signer requirements per transaction, suitable LTV (loan to value) parameters and clear tokenomics.”
“Once these are resolved we believe the gauge reinstatement will be deemed suitable, independent of strategic fears the whales and influencers may have with respect to our bold approach to gaining voting power in the DAO,” he said.
Rules of engagement
Mochi’s aggressive strategy and Curve’s ensuing governance action have prompted significant debate in the DeFi community.
Azeem blamed an unnamed “DeFi cartel” for how Mochi Inu has been treated, saying that Mochi poses a threat to the Curve Wars status quo.
“They are shocked and feel threatened that a small player on the outskirts of the Curve/Convex ecosystem became a powerhouse and a threat to their fledgling monopolies overnight. Is this not DeFi?” he asked.
Likewise, a number of observers have criticized both the existence of the Emergency DAO and that they chose to act, saying that signaling out a single user is inappropriate in what should be a permissionless system.
Mochi finance fiasco is quite interesting.
Mochi created a very dangerous market conditions for its users, but it didn't break any Curve rules.
Curve's Emergency DAO's actions might have been unjustified. The intentions were right, but was it their place to interject?
— Mudit Gupta (@Mudit__Gupta) November 11, 2021
Regardless of the controversy, Curve’s Charlie expressed some relief that there are now clear rules of engagement in the Curve Wars.
“I’m somewhat glad we drew the line of what a protocol can and can’t do. We’ve seen an escalation of bribes with different protocols trying to grab more and more power with Convex and Curve.”