Share this page!

Nick C. Profile picture
Twitter logo
21 Nov, 6 tweets, 3 min read
Recap of where we're at with Pickle:

Two hours ago, a suspicious transaction was seen involving Pickle's new pDAI jar.

$20m worth of DAI was withdrawn to an EOA, which funded the attack with 10 ETH from Tornado (mixer).

No flash loan was involved as first believed.
At this moment, the attack vector seems to be related to a function in the Pickle controller (v4), which can swap coins from one strategy to another.

Rumor has it that there was no check on the Jar Swap function. Pickle was audited but seemingly before this function was added.
Affected users are already contacting the attacker.

The first image here shows someone, a purported "nurse," asking for $100,000 back from the attacker. The use of the nurse bit was popularized last week with the Value attack, where the attacker returned $50k to a "nurse"
We're seeing @coverprotocol respond to this in real time.

Cover launched literally two days ago, and Pickle was a project it began providing cover for. There was $430,000 in cover available last time I checked.

Community seems to think it's a valid claim already.
Pickle devs are telling users to withdraw funds for the time being.

I suppose it's unclear if the bug in the controller contract can be exploited on other Jars.

More communication between victims and the attacker. Attacker hasn't responded or moved any funds - different than the recent DeFi attacks.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nick C.

Nick C. Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @n2ckchong

Nick C. Profile picture
21 Nov
It appears we may have just seen our latest DeFi flash loan attack.

$20m in DAI stolen - potentially the biggest flash loan attack since Harvest a month ago, which took $30m in stables.

(h/t to @mattybchats for spotting this tx)
What's weird now is that Pickle's website currently is not working.

Those that are trying to access the Jars and Farms tab are just stuck with a loading screen.

Also, Discord channel seems to have no public channels. Was it like this before?
Some people are arguing that this isn't an exploit or not an attack - might be some unannounced strategy change they say.

The thing is, the person who did this tx got 10 ETH from Tornado + now owns nearly $20m in DAI in an EOA.
Read 10 tweets
Nick C. Profile picture
21 Nov
Back by popular demand. Again, with everything on DeFi being on-chain, we can see connect firms & addresses.

A breakdown of some of the known Ethereum addresses of a16z, Celsius, Nexo. Also, a look at addresses *likely* operated by firms like Alameda, Struck Capital, & more.

👇
a16z's (1/2) interesting because it became the first "mainstream" VC to go big on DeFi tokens.

They have $26m in MKR, $2m in SNX, and $1.5m in REP.

Of note, they're up $11m in their MKR.
a16z (2/2)

What I really remember about this address is others in the space eyeing it last year:

Someone deposited $250k of SNX into the address.

We still don't know if it was a16z.

Not much else to say though - I guess Pool 2 yield farming isn't in their mandate.
Read 16 tweets
Nick C. Profile picture
19 Nov
Wanted to bump this thread due to the Saffron Finance craze.

What I said about BarnBridge applies to Saffron - they're fundamentally similar projects with similar goals.

Saffron just launched first.

Here's a brief explanation of why $SFI is rallying so hard (up 400% today).
Tranches in finance are when a financial product/vehicle is split up into separate baskets to divvy up risk and yields to appeal to different investors.

There are junior tranches, which carry the most risk. If there is a default/crash, junior tranche holders take most losses.
To acquire Saffron Finance's governance token, SFI, users must deposit ETH-SFI Uniswap LP tokens or deposit into the two supported tranches, the "S" (senior) tranche and the "A" (junior) tranche.

- S tranche gets 71.25% of emissions
- A tranche gets 3.75%
- Uniswap LPs get 25%
Read 9 tweets
Nick C. Profile picture
19 Nov
Hands down one of the coolest DeFi products I've seen in recent months is Alpha Homora by @AlphaFinanceLab.

The product has seen a lot of attention over recent days as investors seek higher yields on Ethereum yield farming and liquidity mining.

Let's take a closer look.

👇
To put it simply, Alpha Homora allows users to obtain leverage on Ethereum yield farming.

It also automates the yield farming process, even if the user does not want to take leverage.

This is similar to what the @zapper_fi team did in its early days with Zaps.
When you want to LP one ETH into ETH/WBTC on Uniswap, you swap 0.5 ETH into WBTC, then supply both to the pool. Cool.

But let's say you want to collect more in trading fees or in UNI (if rewards are voted back in), you can take leverage of up to 2.5x (used to be like 3x).
Read 13 tweets
Nick C. Profile picture
18 Nov
What's beautiful (and kind of scary) about DeFi is that we can see everything that happens on-chain and connect addresses to identities and firms.

Here's a breakdown of the known Ethereum addresses of Three Arrows Capital, Polychain Capital, and Jump Trading.

👇
Three Arrows Capital (1/2):

One of the biggest Compound suppliers, with $100m in WBTC, $50m in ETH, and $6m in DAI.

3AC is also supplying 275 YFI and $13m in LINK to Aave and is farming SUSHI with 1.5m *recently-acquired* SUSHI.

3AC acquired 351k LINK during recent dip.
3AC (2/2):

With the collateral, 3AC is withdrawing stables and sending them to FTX. We've seen millions upon millions sent to an FTX address.

It is unclear what happens to the funds once they're there but 3AC is often on the profit + volume leaderboards on FTX.
Read 11 tweets
Nick C. Profile picture
17 Nov
Since UNI rewards ended yesterday, Uniswap's TVL has dropped by 40% to $1.9 billion. The bleeding shows no signs of abating yet.

Let's take a quick look at a few large liquidity providers (at random) and what they are doing with their freed-up capital. 👇
0xe0e withdrew $1.7m worth of liquidity from Uniswap's ETH-DAI pair.

They deposited all of that capital immediately into cAssets, cDAI and cETH.
0x975 withdrew $2.8m worth of liq from ETH-DAI.

They deposited all that capital back into Binance without converting the ETH into DAI or vice-versa.

They made this addy with the sole purpose of farming UNI, meaning they're probs looking to re-allocate to DeFi or BTC (UOA).
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @n2ckchong