Welcome back to Inside DeFi
Aave, DeFi’s largest protocol, has finally voted on the long-awaited Aave Will Win proposal from founder Stani Kulechov’s Aave Labs. Guess who won.
This week’s issue also rounds up some of the week’s security news, including a hack with unintended upsides, a review of ZK proof security, and more.
Aave vote sees service providers sour
To no-one’s surprise, Aave Labs won last weekend’s vote on the Aave Will Win Framework proposal.
The Snapshot vote passed narrowly, with 52.6% in favor. Overall, just shy of 1.2 million tokens were used for voting, less than 8% of AAVE’s circulating supply, which seems surprising for such a high-stakes decision.
Following the win, Stani Kulechov took to X to promise “structural improvements for the ARFC stage based on community feedback.” However, replies were restricted.
Governance delegate Marc Zeller of ACI wasn’t happy with the result.
Reflecting on the results, he points to three Labs-linked whale addresses which swung the vote: “The community rejected the proposal. Labs overrode it on their own $51 million budget request.”
The following day, ACI announced its decision to leave Aave, following in the footsteps of developers BGD Labs.
The forum post reasons “there is no role for an independent service provider in an environment where the largest budget recipient holds undisclosed voting power and uses it on its own proposals.”
Kulechov paid tribute to Zeller’s impact on Aave which he called “well documented and widely felt,” before assuring users that the protocol and incentives are back to business as usual.
Despite months of DAO drama, Aave’s in/outflows remain unaffected, even when the AAVE price is bleeding compared to competitor Morpho.
A donation attack has its upsides
The sDOLA/crvUSD market on LlamaLend, the lending arm of Curve Finance, was hit by a so-called donation attack.
After initial suspicions that Inverse Finance’s contract was the target, founder Nour Haridy set the record straight, pointing instead to the 14% bonus enjoyed by sDOLA holders.
Curve’s investigation stated that the exploit relied on the “combination of which price oracle is used for sDOLA… vs how much sDOLA existed outside of collateral in this market.” A more detailed analysis can be found here.
As well as a bump for sDOLA holders, the buy pressure from liquidation repegged crvUSD, after around a month under peg.
Curve says it would have paid the attacker more as a bounty if they’d disclosed the bug than they made by exploiting it.
ZK ain’t EZ
A pair of zero-knowledge proof (ZKP) exploits from recent weeks prompted a security review of Groth16 verifiers.
The report states that simpler bugs (such as the incorrect setup exploited in both cases) were missed while developers concentrated on the complex codebases associated with ZKP protocols.
The projects affected, Veil.Cash and Foom.Cash, were exploited for around $10,000 and $2.26 million, respectively. Though the majority of funds were returned to the latter project by whitehat hackers, including Decurity, who carried out the exploit.
Elsewhere…
A scare over Lido’s wstETH bridge to ZKsync led the project to close the bridge to new deposits on Tuesday. A fix will be audited and deployed in the “next scheduled on-chain Lido governance omnibus vote… after which deposits will resume.”
OpenZeppelin audited Paradigm and OpenAI’s EVMbench, covered in a prior edition.
The report highlighted “methodological flaws” accusing the model of relying on “pattern matching” of known bugs, rather than aiming to discover novel vulnerabilities.
It also criticized “invalid vulnerability classifications including at least four issues labeled high severity that are not exploitable in practice.”
The post describes a “structural problem” in that publicly available training data “often includes disputes, invalid issues, and inconsistent quality.” Without “expert curation,” models will inevitably inherit that “noise,” leading to “higher false-positive rates, misleading benchmarks, and security tools that look good on paper but underperform where it counts.”
Thursday saw Solv Protocol exploited for $2.7 million. Decurity explained that a “double-minting flaw” allowed an attacker to loop 22 burn-mint transactions “turning 135 BRO into 567M BRO.” The tokens were then swapped for 38 SolvBTC… bro.
Solv Protocol later acknowledged the incident, stating that the affected users, who number less than 10, would have losses reimbursed.
Security researcher and developer storming0x claimed that OpenAI’s coding assistant Codex was able to spot the vulnerability “in two minutes flat, with simple prompt and skills, without any additional context.”
— Jake Harrison
The post Inside DeFi 007: đź’ Aave Labs in charge, ACI reaches breaking point appeared first on Protos.
