How to catch a falling knife
Plus Badger Badger Badger Badger and the $2.6B bug
In this issue:
How to catch a falling knife
Badger Badger Badger Badger
The $2.6B Solana bug
How to catch a falling knife
On Friday evening the price of Bitcoin dropped abruptly from around ~$53k/BTC down to ~$42k/BTC over a few hours (~21%). Bitcoin markets trade 24/7 but the markets are definitely thinner in off hours — on some exchanges the order book cleared out all the way down to $28k/BTC.1 At time of writing Bitcoin is trading at roughly ~$49k/BTC.
As we’ve talked about before this kind of crash is caused by a liquidation cascade, where the falling price forces margin-long traders to sell their position which drives the price down further and forces other margin-long traders to liquidate. The domino effect of margin traders tripping over each other is what creates the spikes/crashes and retracements we see over and over again in the markets.
Given the timing of this particular cascade it seems likely it was caused deliberately by a trader (or group of traders) who targeted a weak moment in the market — otherwise why choose to sell so aggressively in a window where there were almost no buyers? Large predators were swimming in those waters.
The optimists have been, for the moment, obliterated. One way to see that is in the futures funding rate which has gone negative for the first time since late September. When the funding rate is positive (green) that means there are more longs than shorts and the longs are paying shorts for the privilege. When the funding rate is negative (red) that means shorts outnumber longs and are paying them. You can see the market’s sharp pivot to pessimism:
As is usually the case when Bitcoin moves down most of the major cryptos experienced losses as well — but interestingly Ethereum did not fall nearly as far, meaning that the ETH/BTC pair is actually trading at a multi-year high, the highest it has been since mid-2018. Traditionally during moments of market panic prices go down but Bitcoin’s market share goes up as altcoin traders retreat to the relative safety of Bitcoin. Friday’s movements suggest a significant portion of the market now prefers to weather the storm in ETH instead.
Badger Badger Badger Badger
On Thursday a hacker (or hackers) was able to steal ~$120M worth of Ethereum and Bitcoin from a DeFi lending organization called BadgerDAO. One user lost 900 BTC (~$50M at the time) in a single transaction.
We’ve talked about DeFi exploits a few times recently but we only end up covering a fraction of the ones that happen. According to Blockchain security firm SlowMist a total of ~$2.9B of exploits have happened in the Ethereum ecosystem. But the BadgerDAO incident was interesting a number of ways.
One interesting thing is that the BadgerDAO smart contract was not the point of attack. Instead hackers took control of the website app.badger.com and deployed hostile code that tricked users into authorizing malicious transactions. If BadgerDAO is sort of like a bank the hackers didn’t break into the vault, they dressed up as bank tellers and tricked people into handing them their deposits. Technically users of the contract were fine, it was users of the website whose money was stolen. That’s a bummer for them because the smart contract was insured (by DeFi insurance platform Nexus Mutual) but the website … was not. Oops.
Another interesting thing is that the BadgerDAO dev team built emergency controls into the contract allowing them to unilaterally pause all transactions. They were actually able to lock down the contract faster than they were able to reclaim control of the website:
Pausing the contract likely saved millions of dollars — a similar exploit recently in Compound.Finance was made much worse because governance controls meant the bug fix took seven days to deploy. But if a centrally controlled website can be a vector of attack and a centrally controlled dev switch can pause the contract and freeze funds at any time, that raises uncomfortable questions about how decentralized BadgerDAO actually is in practice.
Most DeFi projects are more aspirationally decentralized than actually decentralized, and most DeFi users don’t really understand or care. Paying the expensive transaction fees for a blockchain but exclusively using it through a centralized website is basically LARPing but it’s what the vast majority of users do. So when hackers want to steal from BadgerDAO they target the front end — and when the government wants to regulate the trading that happens on Uniswap they do the same:
The story of decentralization in DeFi is a parade of asterisks and caveats. Most DeFi projects are decentralized in the same way that Cheez-Its are a dairy product.
To be clear — that may be a reasonable strategy. Right now regulators in the US at least seem content to let many of these experiments flourish and quietly negotiate compliance terms with them rather than simply ban them outright. Actual decentralization may not be necessary. To be truly decentralized is difficult, expensive and inconvenient — but to market yourself as decentralized you really only need a smart contract. That’s much easier.
Other things happening right now:
Most of the major DeFi exploits so far have happened on Ethereum, but that’s more because Ethereum is where the attention and capital is than because other platforms are fundamentally more secure. A single bug in the Solana Program Library that was publicly disclosed and left unresolved for 6 months was putting ~$2.6B worth of funds at risk. In the Solana ecosystem a lot of projects aren’t even open-source, so it’s difficult to know whether the bug has actually been patched everywhere yet or not.
In Gary Gensler’s opinion Ethereum would have passed the Howey Test (and hence been considered a security) meaning the crowdsale was an illegal unregistered securities offering. Interestingly, by using past tense Gensler is implying Ethereum is no longer a security. That’s great news for Vitalik & Co. but it is interesting more generally because it implies a previously centralized token can reach some threshold of "decentralized enough" to graduate out of being a security. No hints about where to draw that line, though.
Presented without comment:
The swing was severe enough that the price of Tether reached $1.025 / USDT. That may not sound like a lot but it was the largest deviation from Tether’s USD peg since the crash on May 19th.