The Curve Emergency DAO has killed the USDM gauge

Summary:

Last night, some unusual price action on CVX was brought to our attention. This came from an address which had just swapped 46M USDM to DAI in a factory pool.

After some research, along with Yearn and Convex, we realised those were the actions of the person behind the Mochi protocol.

  1. Mochi used bribes in their own token (MOCHI) to vote in a gauge receiving CRV
  2. Mochi incentivised votes to its gauge via Convex until the factory pool reached $100m liquidity
  3. Mochi minted a huge amount of tokens to themselves, Mochi has no minting cap or tokenomics
  4. Deposit those tokens onto the MOCHI which has a custom price oracle set by the Mochi team (meaning the Mochi team could mint as many tokens as they wanted if there was enough liquidity to trade it for stables that aren’t backed by air) and 90% LTV and mint $46m USDM
  5. Swap those USDM to DAI on Curve
  6. Use those DAI to purchase Ethereum and ultimately buy 1.05m CVX
  7. At that point, several people aware of the situation including Andre Cronje and myself tried to warn Mochi against locking those CVX as they would have been in a position to unfold their position and make LPs of that pool whole if the acquired CVX had remained liquid.
  8. Mochi eventually locked the CVX

Few more bits about Mochi and findings:

As this constitutes a clear governance attack and the emergency DAO deemed the LPs in that pool to be at risk, the emergency DAO agreed to kill the gauge so it stops receiving CRV emissions immediately. Those locked CVX would undoubtedly be used to deepen liquidity in the USDM pool to recreate the attack with Curve LPs left holding the bag and we urge Convex governance to take action against Mochi.

This is a good reminder that blindly accepting money from protocols for gauges or veCRV weight is a risky business especially with anyone being able to deploy Curve pools in the factory.
Permisionless pool factories and permisionless gauges are meant to empower governance which comes with serious responsibilities.

17 Likes

In the free market, everyone can do whatever they want. We cannot reach where we want with restrictions and embargoes. mochi will become decentralized in the future.

It is impossible to print USDM with mochi. You can generate only $9 million USDM. TVL on the Mochi protocol is $140m!

5 Likes

what does decentralize mean? i dont think its a good DAO

3 Likes

"You are misunderstanding “decentralization”. It means that anyone has access to the money rails (in this case, Ethereum).

“Decentralized” doesn’t mean “everyone has access to EVERYTHING”.

I have yet to hear one benefit to Curve of removing the whitelist."

Cf : https://twitter.com/0xLeibniz/status/1458531620248489988

2 Likes

Completely agree on the points about the oracle and the missing mochi tokenomics, but were the USDM LPs unaware of these facts, and did they request Curve’s protection? Having to ban a misbehaving protocol seems backwards to me versus not allowing its existence in the first place. Can this be boiled down to smart contract rules or does there simply need to be a whitelist? Perfect timing on this with the ongoing discussion.

3 Likes

Mochi is clearly a scam and we should not be supporting bad actors in our space

3 Likes

The events in the last 12hr highlight the importance of Curve governance and the power that we, as DAO participants hold in our hands. The events related to MOCHI INU could not go unnoticed or unacted upon. To do so would be to set a precedent that would reverberate thoughout defi.

Mochi.Fi was a rug, plain and simple. AZ is a bad actor. He violated the trust of Curve and Convex by performing the actions committed last night. Enaction of the emergency DAO was the right thing to do.
Many people often cite that DeFi is the wild west…they’re right. But law must still be maintained, sometimes even martial law. The DAO will decide if this action was the right choice, but I, for one, STRONGLY support the decision to kill the USDM gauge and I urge others in the DAO to do the same. Decentralized governance can always consider future actions related to USDM/Mochi, but temporarily, this was the right thing to do to protect the LP, the protocol, and the entire DeFi ecosystem who rely on Curve.Fi.

Furthermore, I think these events highlight the importance of maintaining the white list to protect the LPs. Churchill, quoting Thomas Paine, once noted that these are the times that try men’s souls. This is the first real test of our DAO. How we act in these events will reverberate through DeFi for years to come. Scams, Rugs and inferior forks should not be allowed to have access to CRV incentivization to promote these maleficences.

8 Likes

What happened here was a bad precedent for de-fi. Mainly due to the intellectual dishonesty of the arguments used to justify the removal of Mochi. And for the subsequent economic loss it caused some number of Curve users (all the while claiming to be concerned about Potential economic losses of those same holders).

First, I don’t hold Mochi or USDM, just been following the theatrics on social media. I have been a VeCRV holder since Jan of this year.

The arguments used by Charlie above are mostly invalid.

Regarding argument #1: bribing people for voting on Curve is wrong? There is a “https://bribe.crv.finance/” subdomain which facilitates bribes! Many stablecoin providers with farms on Curve have used it. Why is it wrong when another party does it?

Argument #2- see #1.

#3- the token supplies of mochi are visible on Etherscan

#4- Revised: I now understand the oracle use in the OP refers to pricing Mochi’s token (not DAI). I can see why this might be viewed as risky. On one hand, the token was not trading and therefore there was no reliable price oracle except their own. On the other, stablecoins should have reliable collateral and it’s hard to say that an unreleased token was one.

#5->6: not arguments, just descriptions

#7: Concern is expressed about the vulnerability of mochi LP’s and yet the Curve DAO’s actions in removing the Curve gauge crushed users in USDM, especially those who swapped for it on Curve. On one hand, there was concern of a risk to holder; then on the other hand Curve DAO actually causes economic loss to those holders by a rash and unnecessary action in removing the gauge (and causing a “bank run”). USDM is trading at something like $0.33. That’s quite a haircut holders would take.

Later the argument is made that 99.5% of mochi circ supply is owned by team. This is intellectually dishonest because the Mochi token was only launched yesterday far as I know. Users only started buying it. Every project begins with the project owning 100% of the tokens and then when available for sale, users acquire it.

When you observe the insufficiency of justifications for this move, I can only conclude the real reason has to do with relationships with projects like Olympus/OHM and Keeper DAO.

This is a dark day for the DAO- not for taking emergency action but doing based on improper grounds, as I’ve illustrated above. This was a political decision to benefit certain people close to Charlie and Curve, and not in the best interests of the project. The decision apparently caused many USDM holders to sell in a panic and caused what I am guessing is a serious economic loss. This is what happens when you play favorites, and dress it up as governance.

5 Likes

Yes! Curve and Covex should have a social contract (at min if not actual code) that allows the community with a vote to punish bad and terrible actors and return as much as reasonably possible to “victims”. People do all sorts of silly (or stupid) things but that does not mean they need to be scammed and stolen from. Such social (or other) contract will also discharge bad actors from doing it in the first place.

The order of actions that the MOCHI team took was to (1) mint their new MOCHI token, (2) borrow USDM against the MOCHI based on the fixed price/custom oracle they created, (3) sell USDM into their meta pool and withdraw DAI, (4) trade DAI for ETH and finally (5) seed a UniV2 pool with MOCHI and ETH (they needed to acquire the ETH in this manner to seed the pool). There was no market price for MOCHI tokens at the time they borrowed new USDM from their protocol. This link in Charlie’s post gives a bit more info on the price oracle that’s helpful: https://twitter.com/boredgenius/status/1458732732540854276?s=12

I think it’s fair that the Emergency DAO considered this to be a manipulative use of the Curve metapool that should not be rewarded going forward. Anyone can start a factory pool and anyone can deposit and trade on that. The DAO can’t stop that. But the DAO (and on short notice the Emergency DAO) can make a call on whether CRV rewards should continue to incentivize a pool based on all the context. If the DAO does not want to continue to direct CRV emissions to a pool that can be manipulated by a protocol as described above, then this was the right action to take.

Additionally, just want to clarify the below about KeeperDAO vs. KP3R:

This sounds like you are referring to the proposed acquisition by KeeperDAO to acquire a large amount of CVX. KeeperDAO is a separate and unique protocol and DAO from Cronje’s Keep3r. If you have other information/evidence that Cronje’s protocol was looking to buy CVX as well, then please share that, otherwise I think this may be a mixup and an incorrect explanation of motive.

4 Likes

Really great take. Thank you.

1 Like

I concur with @jagrmeister.

The issue here is that one of two things occurred:

a) the MOCHI launch was an attempted rug
b) the MOCHI launch was not an attempted rug

If the MOCHI launch was an attempted rug, then the Curve Emergency DAO vote to remove the USDM gauge could be an appropriate measure to delist an attempted rug.

If the MOCHI launch was not an attempted rug, the Curve Emergency DAO vote to remove the USDM is inappropriate.

For example, USDM may have been undercollateralized. Or, it may have been appropriately collateralized, backed by ~1 million locked CVX tokens intended to vote for the USDM-3CRV pool, which was then unilaterally stripped from USDM by the Curve Emergency DAO, self-fulfilling this undercollateralization prophecy.

MOCHI may have “rugged”. MOCHI may have not. At the very least, MOCHI should be allowed to explain itself, or at least explain some of the accusations leveled at it which were used to strip the USDM gauge.

I also wonder if the use of the Curve Emergency DAO was really necessary in this case.

What does removing the USDM gauge accomplish? By removing the gauge, are USDM-3CRV pool users going to have the effects of the rug lessened? Or, by removing the gauge, does it cause a 3CRV asset run in the USDM-3CRV pool, giving the appearance of a rug, on top of providing a guilty-until-proven-innocent presumption which MOCHI then has to overcome? How do the effects of this decision compare to a, say, publicized warning about the potential dangers of the MOCHI and USDM-3CRV protocol and pool, at least until such time a rug/scam has been confirmed?

In short, why rush to rescind CRV (and CVX) rewards – are the effects of these rewards really great enough to warrant immediate executive emergency action? It only gives the appearance of politically and economically driven bias towards other protocols that may see MOCHI as a threat, as referenced by @jagrmeister.

4 Likes

Thanks for the clarification regarding Keep3r and Keeper DAO - I’ve removed that section.

In retrospect it seems there were a lot of red flags that are severe enough that, even if the original gauge vote were not denied outright, there should at least have been critical discussion on the topic. (Knowing what I know now, I wouldn’t support giving USDM pool a gauge.) There seems to have been no discussion on this forum before voting in this gauge. The votes on both Convex and Curve were resoundingly positive for the gauge.

Convex: Snapshot
Curve: https://dao.curve.fi/vote/ownership/87

Mochi had previously promised an airdrop to both veCRV and vlCVX voters, so that explains the warm welcome from the DAO.

Now a bunch of really concerning problems with Mochi are surfacing, including:

  • Price oracle for $mochi is literally just a number set by a hot wallet
  • The mochi token is upgradeable by a 1-of-3 multisig (“multisig”) with no timelock
  • The same multisig owns 99.5% of all mochi
  • all the collateral (yes, all $136.3M) used for minting USDM can also be instarugged. This is thanks to the multisig having the power to update ownership status of collateral within the MochiEngine contract.

sources: https://twitter.com/boredGenius/status/1458740237945872384 | https://twitter.com/boredGenius/status/1458732732540854276

There are a lot of smart people working on Curve, but there’s a lot of things people have to think about besides getting bogged down in research on every single gauge proposal. We need to have a committee responsible for reviewing protocols seeking a gauge, and provide a risk analysis that informs the DAO more completely on what we are voting for. None of the above concerns were discussed until Mochi started allegedly rugging its protocol.
The committee should be paid a salary to compensate their work, and it should come from the community fund.

I’m just posing the thought here as a temperature check. If other people want this, I’m happy to create a proposal.

7 Likes

I actually support exploring this idea. The caveat is that the committee would need to work within a set time frame, say a week, to ensure rapid turn around for any proposals prior to voting. The committee should also be composed of members who are familiar with audits and protocol evaluation.

I agree completely with @jagrmeister and @bgenci. You can’t claim you’re protecting users from a loss of funds and cause them to lose a ton of funds with your decision.

Revert this or defi is dead.

1 Like

Question: Do we know how much the de-pegging in USDM owed to Mochi’s trading against the USDM pool (selling USDM for DAI) versus how much happened from the “bank run” (users panicking after Curve gauge removed and selling USDM, lowering its price)?

1 Like

I pulled the 3Crv and USDM balances from the pool at certain points in time using the Etherscan tokencheck tool (https://etherscan.io/tokencheck-tool). See the image link for balances (i) immediately before and after the Mochi trade, (ii) at the time of the gauge was killed and (iii) two timestamps afterward: https://imgur.com/a/b7W9X3g

Maybe someone smarter than me can do the Curve math to determine what the price was at these times. There was 102 million 3crv prior at the start. The Mochi trade drained 45 million 3crv, another 29.6 million 3crv was removed before the gauge was killed and almost all of it has been removed since then.

2 Likes

This was the correct move.

We should take stronger ownership of the gauges we back.

It’d be in Curve’s interest to audit existing projects for how supply can be managed and ensure such practices are unavailable to other gauges.

In addition we should monitor liquidation engines and their performance.

A gauge is an endorsement, we should fund tools to enable governance to be informed on these qualities of assets we host.

for reference

3 Likes