Edition No. 3 - LexNews+ Weekly
Curve Exploit; Rakoff vs Torres; Coinbase's motion to dismiss; SEC vs. Richard Heart
Hi anon :)
Welcome back to LexNews+ Weekly! This letter is meant to provide LexDAO members and subscribers easy-to-digest summaries of the biggest stories in cryptolaw each week, as well as internal updates of LexDAO operations and projects. We’re excited to continue to expand the horizon of LexDAO’s impact through this medium, and to continue to build out the profession of legal engineering. Let’s get started!
Authors: Kyler Wandler, Nick Corso, Kris Jones, @TxBlokChainLaw
Sections:
1. Headlines (The top stories in cryptolaw this week)
2. Podcasts
3. LexDAO weekly loadout (agenda, events, publications, and more!)
4. Closing Statements
Headlines
Five things you might have missed this week:
Curve Pools Exploited Using Vyper Vulnerability 🐍
Never trust a snake?
On July 30 cybercriminals exploited a major vulnerability in the Vyper smart contract programing language to execute reentrancy attacks on four major liquidity pools on the Curve Finance decentralized exchange. Curve reported a total outflow of 32M Curve DAO (CRV) tokens—worth about $22M—from the CRV/ETH pool. Other project liquidity pools affected include Alchemix’s alETH/ETH pool, JPEGd’s pETH/ETH, and Metronome’s sETH/ETH. Additionally, several projects on the Binance Smart Chain (BSC) were exploited in copycat attacks. The vulnerability exploited by these attacks is found in Vyper versions 0.2.15, 0.2.16 and 0.3.0.
With multiple pools hit by the reentrancy attack, the event signaled a potential for contagion. The price of CRV had been relatively steady at 73 cents on July 30, but fell following the attack to a low of about 50 cents on July 31. While this represents a significant amount of token value wiped for the project and community, the major looming domino was a debt position on Aave held by Curve founder Michael Egorov—a loan position of $63M in Tether, backed by $168M in CRV, and a CRV liquidation price of 37 cents. Egorov additionally held debt positions at Fraxlend ($17M) and Abracadabra ($18M) that were also collateralized by CRV. Following public on-chain movements, Egorov took steps to pay down the debt and reduce the risk of liquidation. Meanwhile the price of CRV has recovered somewhat.
The involvement of Curve and Aave—two major DeFi darlings—in the most recent drama is raising questions around just how decentralized and resilient the DeFi ecosystem is and the adequacy of current risk management practices when it comes to avoiding systemic breakdowns at the protocol level. And with a major CRV liquidation event potentially on the horizon pursuant to founder Egorov’s debt positions, an already deflated CRV token carries the additional risk of significant sell pressure. More broadly, the situation raises difficult questions on ethics, potential liability, and centralization of token ownership in the DAO and DeFi space. Aave is now considering some of these questions through a DAO governance vote on Proposal 288—reducing the CRV LT, LTV, and debt ceiling.
In the end, much of the exploited funds have been returned to the projects, some from MEV exploiting the hacker (@c0ffeebabe_eth ftw) and some from the exploiter taking a 10% whitehat bounty. And the risk of major contagion posed by potential liquidation appears to have subsided—at least for the time being—with CRV climbing back above 60 cents.
Curve, for its part, has offered on-chain a $1.8M bounty payable to anyone with doxxing information on the attacker(s) leading to a court conviction. While most funds have been returned and the looming contagion seems to have shrunk back to the shadows for now, the bigger questions around protocol risk management, centralization, ethics, and liability remain largely unaddressed.
Useful links:
Egorov loan position changes explored on-chain
Breakdown of the Vyper Vulnerability
Curve’s Conviction Bounty Tweet - Etherscan
Terraform Labs motion to dismiss denied; Judge Rakoff rejects Torres’ interpretation⚖️
Persuasive precedent — but not persuasive enough
Mere weeks after US District Judge Analisa Torres issued an analysis of what constitutes an investment contract in the SEC v. Ripple Labs case—one largely endorsed by the digital asset space—another judge from the same Southern District of New York (SDNY) has expressly rejected key aspects of her approach.
In SEC v. Terraform Labs, Judge Jed Rakoff denied defendant’s motion to dismiss, ruling the SEC adequately pleaded Terraform Labs sold crypto assets that were investment contracts under the seminal Howey Test. In doing so, Judge Rakoff breaks with the Ripple ruling by failing to differentiate—as Torres did— between primary insurances of tokens to institutional investors and secondary transactions with retail purchasers. Rakoff finds this distinction inconsistent with Howey because the manner of sale does not alter the purchasers’ reasonable expectation of profit. In this case, the Securities and Exchange Commission (SEC) alleges Terraform Labs and its founder Do Keyong Kwon encouraged the sale of digital assets by touting future returns to purchasers of all sorts.
In spite of this significant divergence, both judges seem to agree digital assets themselves are not inherently securities but can be sold as such depending on the offering, sale, or use connected to a purchaser’s economic benefit. Judge Rakoff also acknowledged stablecoins are likely not investment contracts when designed to maintain a consistent price as a stable store of value rather than produce an investment return.
Since neither ruling constitutes binding legal authority, this is likely only the beginning of much more litigation on digital assets and their relation to securities laws.
Coinbase files motion to Dismiss SEC complaint 🍊
This ain’t your grandpa’s orange grove.
On August 4th Coinbase moved to dismiss the SEC’s case alleging Coinbase acted as a unregistered broker, exchange, and clearing agency by selling unregistered “crypto asset securities.”
Coinbase’s carefully articulated argument is straightforward—Coinbase does not offer “investment contracts” and therefore does not sell securities. The term “investment contract” has been interpreted by the Supreme Court to essentially mean the buyer has a contractually grounded expectation of future value. Coinbase, to the contrary, asserts it engages in commodity sales outside the SEC’s jurisdiction. The defendant’s motion contains numerous references to the recent Ripple ruling, which found secondary digital asset sales to retail purchasers failed to satisfy the Howey Test, and as such were not unregistered “investment contract” securities. The motion also alleges the SEC is deliberately attempting to get a head start by claiming authority over digital assets while Congress considers legislation that would delegate this exact authority to a different government agency.
In a tweet posted the day the motion was filed, Paul Grewal—Chief Legal Officer at Coinbase—asserted the SEC had ignored precent, violated due process, abused its discretion, and “trampled the strict boundaries on its basic authority set by Congress.”
As the crypto industry anxiously awaits a ruling on the motion, the recent court case SEC v. Terraform Labs—and its marked divergence from the Ripple case in applying the Howey Test—has added significant uncertainty. The Terraform court ruled in favor of the SEC on a motion to dismiss, while expressly rejecting the securities analysis for secondary retail sales found in SEC v. Ripple Labs.
Neither Ripple nor Terraform constitute binding precedent, making it difficult to predict the success of Coinbase’s recent motion.
SEC vs Richard Heart ❤️ ➡️ 💔
Don’t Go Breaking My Heart (SEC)
Of all the crypto cases for the SEC to bring this enforcement season, possibly the least surprising is that against Richard Schueler, also known as Richard Heart. The SEC claims Heart raised more than $1B through the sale of unregistered securities related to HEX, PulseChain (PLS), and PulseX (PLSX), using promises of extravagant future wealth to do so. The case is notably being brought by the SEC in the Eastern District of NY. The SEC is pursuing permanent injunctive relief, disgorgement, prejudgment interest, and civil penalties against Heart and the projects.
In addition to selling unregistered securities, the SEC also alleges Heart misappropriated over $12M in customer funds for a variety of lavish personal purchases, including a 555-carat diamond, designer watches, and luxury cars. Indeed, many such items are on full display through Heart’s own social media activity.
Currently based in Finland, Heart is subject to a civil summons requiring a response to the SEC’s complaint within 21 days. Failure to do so could risk a default judgment.
While potentially unsurprising to most, there were many takes on the importance of this case for the broader ecosystem. Some compelling questions were raised by Drew Hinkes via Twitter on issues such as responsibility, venue, code forking, and more, the answers to which could prove precedent setting in crypto law.
(See also: Summer Things, Lex Node, Stephen Palley, Meat, Esq., Propel Forward, CBSnews)
Podcasts
Too tired to read, anon? We feel that. Try these instead:
LexDAO weekly loadout:
Updates and agendas for all things LexDAO can be found here at the Governance Agenda Document
WEEKLY AGENDA:
Closing Statements
We want to hear from you:
If you enjoyed what you read today, subscribe to receive the weekly publication and give the authors a follow on Twitter for live updates throughout the week. Additionally, consider becoming a member of LexDAO!
Did you make any money racing hamsters this week? That was pretty wild. Charlie (the hamster) was a disappointment, to be frank, but overall quite pleased. :)
LexDAO, scaling legal engineering together.
Quote of the Week:
“codeslaw” - source unknown