Let's Talk

Explained: The Mochi Inu Governance Hack (November 2021)

Rob Behnke

Mochi Inu was a relatively new project in the DeFi space when one of its team members performed an attempted governance hack against Curve.  The goal of this attack was to unfairly tilt rewards from Convex Finance, a yield farming protocol built on top of Curve, toward Mochi Inu.

Inside the Attack

The attempted attack by Mochi Inu was designed to exploit the design of the governance mechanism within Convex Finance.  Curve has a token called voting escrow Curve (veCRV), which is a locked version of the CRV token.  The veCRV token is designed to allow voting on governance matters within Curve, including the balance of how rewards are distributed to different projects within the protocol.

In November 2021, Mochi Inu set up a Curve Pool that attracted over $170.2 million in USDC, USDT, DAI, and Mochi’s USDM stablecoin.  One of the Mochi team members used the Mochi Curve pool to swap $46 million in USDM for DAI and then swapped this DAI for ETH.  Most of this ETH was then used to purchase CRV tokens.

These CRV tokens could then be locked to produce veCRV, which provided the attacker with a greater say in Curve’s governance.  The Mochi team member could have used this increased influence to have additional rewards sent to the Mochi Curve pool, increasing its value to investors.

These greater rewards would then attract more investment, giving the team member additional funds to use for buying and locking CRV to further push up rewards for the Mochi Curve pool.  

This cycle could have given Mochi outsized influence on Curve’s governance and the allocation of the rewards that it produced.

This attack was stopped by the Emergency DAO, a group of nine people who could take action to control CRV rewards under a multi-signature scheme.  This first use of Emergency DAO powers cut off the Mochi pool’s rewards, undercutting the governance attack.

Lessons Learned From the Attack

The attempted exploit of Curve’s governance mechanism is nothing new and is being attempted by other protocols as well.  However, unlike these protocols, Mochi Inu lacks a public governance mechanism, enabling certain team members to completely control the project’s activities.  This - as well as other security issues - is one of the primary reasons why Emergency DAO cut off Mochi Inu’s rewards.

The Mochi Inu incident could be seen as a governance hack or clever exploitation of governance and reward mechanisms.  However, it definitely demonstrates the risks of centralized control of DeFi projects and the risks of investing in a DeFi project (like Mochi Inu) without doing adequate research.

LET’S CONNECT

We’re looking for passionate, blockchain-loving, offensive security engineers and white hat hackers to join the team.

For secure communications, use [email protected]

Contact Us

crossmenuchevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram