Never a dull day indeed. 

Today was among the busiest in recent DeFi memory, featuring a hack worth eight figures, a token dump worth upwards of eleven from none other than Ethereum co-founder Vitalik Buterin himself, a significant update on institutional adoption from Aave, and a proposal on Uniswap’s governance forums to turn $UNI into a governance token — a proposal once again courtesy of Vitalik. Rapid reactions, roughly in chronological order (assuming my memory isn’t totally fried from today):

Aave announces permissioned institutional trial pool

As first reported by Cointelegraph earlier today, Aave currently has a private test pool with institutional investors who are trying out DeFi

I had the distinct pleasure of chatting with Ajit Tripathi, the head of institutional business development for Aave (who is also an excellent Twitter follow BTW) about the initiative earlier this morning. The key quote from him is that the test pool is in an “advanced” state, and will likely be live and ready for production as a permissioned market with KYC/AML features soon.

The news set off a flurry of debate in the DeFi community about whether or not institutions and their legal needs — specifically, those KYC and AML barriers — are ideologically and technically compatible with DeFi.

Here’s the reality: in the short term, institutions dipping their toes in will inevitably be a boon for the space. More liquidity, more adoption, more users, more money floating around to fund your favorite projects staffed with wildly ambitious teenagers. Take their cash, their positive press, and shake them down for whatever they’ll give. 

In the long term, their walled gardens will ultimately be a historical blip. Permissioned pools will be slower, less agile, and have less liquidity than the wider space — they’re doomed to fail. This is a first step towards the institutions eventually embracing participation in fully decentralized systems, which is the inevitable endgame.

If that take makes me a bootlicker pandering to our CeFi overlords, so be it. The jokes at my expense have been good at least:

xToken gets exploited

One of the most promising projects in the space was exploited for upwards of $25 million this morning. While the nature of the exploit was complex — effectively merging and leveraging two attacks into one — there’s some argument that simple steps could have mitigated the problem. 

xToken allows users to hold interest-bearing derivatives of core assets like Aave and SNX that require some form of staking and/or governance or protocol participation in order to access their full value. The design is clever, even allowing users to select risk appetite or governance participation philosophy as options — much more nuanced than your standard “index” or “easy” product. 

However, the trade between the synthetic or derivative tokens and their parents is partly to blame for the exploit this morning.

Per whitehat hacker Emiliano Bonassi, the attacker manipulated the Kyber dex marketplace while also simultaneously taking advantage of how xToken calculates the price of their x-token derivatives. As he told me on Twitter, the attacket effectively put “two exploits” into a single transaction:

It’s becoming increasingly clear that using a single DEX as an oracle is irresponsible without some form of time-weighted average price calculation involved, which mitigates the effects of flash loans intended to throw of DEX prices. 

Products like xToken are important for tax efficiency and low-effort participation; here’s hoping they recover.

Sign up to get my bad takes right in your inbox!