Remove veCRV Whitelist Allowing Fully Permissionless CRV Locking

Proposals
#1

LlamaRisk does not have a stance on the following proposal, we offer it for the purpose of transparency and community discussion.

Summary:

Remove the Smart Wallet Checker (veCRV whitelist managed by Curve DAO) which will allow any EOA or smart contract, including Gnosis Safes, permissionless access to locking CRV and participating in Curve governance.

Abstract:

Since the inception of the Curve DAO, the Curve Voting Escrow (i.e. veCRV) contract has included a smart wallet checker that requires DAO approval for any smart contract to lock CRV and participate in governance. The check is performed when attempting to create a lock, increase the amount of an existing lock, or increase the duration of an existing lock.

The smart wallet checker can be bypassed, but there are important considerations due to the immutability of the Vote Escrow. The smart wallet checker cannot be bypassed by setting the stored address as the 0x0 address. Instead, it must be replaced by a simple contract that always returns True. A dummy smart wallet checker has been deployed at 0x9F9D3Ed278A018DB1Fc3aDe5D15A76BF5f672fdF.

Motivation:

The veCRV whitelist was imposed originally to prevent liquid derivatives of veCRV as this was considered a potential governance attack vector by circumventing the time lock requirement to participate in governance. As the DAO governance structure matured, several organizations have formed that include liquid lockers as a design feature (cvxCRV in Convex, sdCRV in StakeDAO, and yCRV in Yearn). Gating the privilege to create liquid lockers has helped Curve in its early years to ensure alignment with the constituent organizations and avoid potential malicious or otherwise undesirable acquisition of governance stake by low quality projects. An unfortunate side effect of this precaution has been that multisigs such as Gnosis Safe are also gated from locking CRV. Additionally, there can be an argument that diversity of governance stake has been artificially minimized by imposition of the whitelist and that innovations on Curve governance strategies have not been allowed to flourish to their full potential.

There has been some community discussion about the implications of the Pectra upgrade to Ethereum that may make it possible for smart contracts to circumvent the whitelist. EIP-7702 allows EOAs to set code in their account, blurring the distinction between EOA and contract. This is relevant to the smart wallet checker, which performs a check if the caller is an EOA, requiring msg.sender == tx.origin. There have been concerns raised on social media and in community discussion that there may be potential for contracts to spoof as an EOA to bypass the check.

According to EIP-7702, the use case that the smart wallet checker employs has been considered by the EIP authors and they explicitly state that, while there may be breaking changes for other niche use cases, this use case will be unaffected. As shown below, they state that “the EIP breaks the invariant that msg.sender == tx.origin only happens in the topmost frame of the transactions.” but that in the case of the smart wallet checker, “this invariant does not depend on the execution layer depth and, therefore, is not affected.”

telegram-cloud-photo-size-1-4956454455461654164-y
telegram-cloud-photo-size-1-4956454455461654164-y1280Ă—953 180 KB

Source: EIP-7702: Set Code for EOAs

There appears to be no change in the behavior of the smart wallet checker or pressing need to remove the whitelist from a technical perspective in light of the Pectra upgrade. The motivation is rather a question of increasing stakeholder diversity by allowing permissionless governance participation from multisigs and integrating protocols via smart contract.

According to the CRV supply schedule, ~2.2B of 3.03B CRV has been emitted, over 70% of the total supply. Of the emitted supply, 39% is currently locked. The proportion of CRV locked / total supply has been trending down since Q4 2024. It may be that removal of the whitelist can revitalize CRV locking from more diverse stakeholders and, since the majority of CRV has already been distributed (much of it already locked), the maturity of Curve’s existing governance structure makes it quite stable and unlikely to become a target for malicious governance takeover.

image
image1664Ă—756 44.3 KB

Source: https://dune.com/daletaxae1/curve
Screen Shot 2025-05-06 at 9.39.12 AM
Screen Shot 2025-05-06 at 9.39.12 AM2564Ă—250 91.3 KB

Source: crvhub.com
image
image1664Ă—602 34 KB

Source: https://dune.com/daletaxae1/curve

Specification:

The vote involves a commit and apply action to assign the “dummy” smart wallet checker authored by Swiss Stake. Both can be bundled into one vote.

VOTING_ESCROW = "0x5f3b5DfEb7B28CDbD7FAba78963EE202a494e2A2"

ACTIONS = [  
    (VOTING_ESCROW, "commit_smart_wallet_checker", "0x9F9D3Ed278A018DB1Fc3aDe5D15A76BF5f672fdF"),
    (VOTING_ESCROW, "apply_smart_wallet_checker"), 
]
5 Likes
#2

Thanks for the great summary.

I think we should spell out explicitly what attack vectors the white-list guarded against and whether they are an issue today. The logic seems to be:

Initial concern: A liquid locker with no time-lock could allow someone to vote maliciously and then immediately dump their share. Were there other reasons?

Today: There may be enough other long-term lockers to guard against that vector.

Will that always be the case, though? Wouldn’t everyone be incentivized to use the unrestricted liquid locker, so there is no guarantee of long-term-locker dominance?

2 Likes
#3

The liquid lockers hold a combined 75% of veCRV stake presently and make up 70% of total CRV locked. There is a total 1,376,965,504 circulating supply of CRV, according to defiwars.xyz.

Protocol CRV Locked veCRV Percentage
Convex 419,222,248.5698 CRV 51%
StakeDAO 119,136,204.3025 CRV 14%
Yearn 83,310,494.5358 CRV 10%

To give some conservative examples of potential scenarios that illustrate the resiliency of Curve governance, if all 1,376,965,504 circulating CRV were locked and all of them were locked by other governance participants, the Convex/StakeDAO/Yearn lockers would have a combined 38% share of governance power. Assuming the fully diluted supply of CRV were locked (3.03B CRV) and all were locked by other stakeholders, Convex/StakeDAO/Yearn would control a combined 20.5% of the total locked CRV.

Total liquid locker CRV locked Total CRV locked Circulating CRV Today Liquid Locker Locked CRV share (current) Liquid Locker Locked CRV share (all circulating CRV locked) Liquid Locker Locked CRV share (total CRV supply locked)
621,668,947 880,447,367 1,376,965,504 70.6% 38% 20.5%

If assuming that the current proportion of CRV locked / total supply is maintained at 38.3% at full dilution of 3.03B CRV, and CRV locked by Convex/StakeDAO/Yearn did not increase, they would control a combined 621,668,947 / 1,160,079,051 = 53.6% of the total locked CRV.

The initial concern was that veTokenomics were designed to ensure long term alignment between governance participants and circumventing the lock through liquid lockers could weaken the incentive alignment and lead to possible malicious governance takeover. A governance attack of this kind would require exuberant LPs to provide reliable exit liquidity, probably motivated (manipulated?) by a short-term incentive scheme.

1 Like
#4

Oh, that’s a great point. A big chunk of all the CRV ever are already perma-locked.

That’s pretty persuasive IMO.

Thanks for the thoughtful response!

1 Like