[Gamma] Interim Update
An update about Gamma’s STIP grant in the context of a recent security incident
Summary of the Incident
At approximately January 4, 3:45 AM UTC, members of the Gamma team realized a successful exploit was occurring on several Arbitrum stable and LST vaults across several exchanges.
The following vaults were attacked:
NOTE: None of these vaults were selected for incentives by the GAMMA STIP program.
gDAI-DAI 0.01% (Uniswap — Arbitrum)
Vault Address: 0x33985Ca762541e2412F454c6F2e7EC677645D1dF
Pool Address: 0x9F934D552476c992De3751A4873f2C1fBEB032B2
Losses: ~ $2.74M
wstETH-WETH (Camelot — Arbitrum)
Vault Address: 0x3D53aC3Abec01827cAaE5Bc934d46b171cEa2206
Pool Address: 0xdEb89DE4bb6ecf5BFeD581EB049308b52d9b2Da7
Losses: ~ $771K
USDT-USDC.e (Camelot — Arbitrum)
Vault Address: 0x61A7b3dae70D943C6f2eA9ba4FfD2fEcc6AF15E4
Pool Address: 0x3AB5DD69950a948c55D1FBFb7500BF92B4Bd4C48
Losses: ~ $1.357M
USDC-USDC.e (Ramses — Arbitrum)
Vault Address: 0x80709a760Ff54112bD3e0CE31C104d912bA51774
Pool Address: 0x562d29b54d2c57F8620C920415C4dCEAdD6dE2d2
Losses: ~ $1.313M
Immediate Response
Our first response was restricting vault deposits to mitigate the attack vector immediately. Because the attack vector relied on the ability to make deposits into the pool, restricting vault deposits on every public-facing vault was a broad but effective means of nullifying the attack. Going network-by-network, we restricted all deposits at the smart contract level and notified our partner AMMs as soon as such actions were taken.
Gamma tried to contact the attacker and understand the attack vector in detail.
Further Response
We are engaging OpenZeppelin to audit our deposit proxy configurations. The engagement is expected to start early next week, after which we will implement the changes necessary to ensure the safety of our deposit proxy configurations for all our vaults. Once the changes have been implemented, we will reopen deposits. The estimated time for re-opening deposits could be 1–3 weeks.
Need to Evaluate Incentives
A need arose immediately to assess the STIP incentive rates on each vault. STIP rewards continued to be dispersed throughout this period at the typically set rates for Period 5.
With users unable to deposit, we felt it could be viewed as unfair that users who withdrew out of caution could no longer collect incentives.
We also wanted to avoid shutting down the whole program, as hundreds of millions of dollars of volume were being facilitated by Gamma’s vaults, and vaults continued to be managed successfully.
Creating Reports
Gamma is currently in “Period 5” of the STIP. Each period runs 14 calendar days. Period 5 is active from 12/27/2023 16:00:00 - 1/10/2024 16:00:00. (UNIX 1703692800 - 1704902400).
The attack began on 1/4/2024 at 3:37:30 (UNIX 1704339450).
To better explain and evaluate the STIP, we conducted our standard biweekly reporting but broke Period 5 up into several different reports:
- “Pre-incident” Period 5 from 12/27/2023 16:00:00 to 1/4/2024 3:37:30 (7.48 days)
- “Post-incident Interim” Period 5 from 1/4/2024 3:37:30 - 1/8/2024 0:42:48 (3.88 days)
- “Post-incident” Period 5 from 1/4/2024 3:37:30 - 1/10/2024 16:00:00 (6.52 days)
- “Full” Period 5 from 12/27/2023 16:00:00 - 1/10/2024 16:00:00 (14.0 days)
The first and second reports have been completed to immediately assess the exploit’s effect on the Arbitrum STIP vaults.
The third and fourth reports will be completed as usual when the report is due. In this reporting period, we will likely offer all reports to the DAO for transparency and to help the Arbitrum Foundation, the DAO, and users see what happened.
Analyzing Changes
Total Value Locked (TVL)
The first noticeable change was the post-incident Total Value Locked (TVL) decline for each AMM. Although none of the STIP vaults were compromised, users removed funds out of caution for safety. With deposits disabled, no new users could deposit in the vaults to claim the rewards and fees.
As of 1/8/2024 at 00:42:48 UTC, approximately 28% of the TVL, or $6,558,588, has left the STIP vaults. The TVL decline varied by AMM and vault, with Ramses losing the most (52%) and Camelot losing the least (25%).
Fees and Volume Through Vaults (VTV)
Fee production and volume fell after the incident. This decline was predictable, with so many liquidity providers (LPs) withdrawing from the vaults. Despite a surge in trading activity early in Period 5, Gamma continues to efficiently facilitate volume post-exploit.
Incentives
As suspected, the incentive APRs have increased due to capital leaving the vaults, while the rewards remain the same. The Incentive liquidity rates (ILR) or the TVL per dollar spent remains excellent. But as users withdraw, a smaller and smaller group of LPs will get rewards.
Transactions
In our last example, you can dramatically see the reductions in deposits after the attack, as these vaults were shut down almost immediately.
Proposed Modifications
In the interests of Arbitrum, Gamma, those who withdrew, and those who remain LPing, we propose measured reductions in incentives for Period 6 and, most likely, Period 7.
In the interest of fairness between the AMMs, incentives will be reduced by 30% on all STIP vaults for Period 6, with another evaluation for Period 7 if needed.
Any incentives not expended in this period will be added to the current backlog for Periods 8 or 9. If we hit the “wall” and have to expend incentives by a marked deadline, we can increase the incentive rate near the end of the program. With volume picking up on Arbitrum (as evidenced in Period 5), we don’t feel like that’s a bad idea.
We have shared these results with the Arbitrum team, Camelot, Ramses, PancakeSwap, and SushiSwap. Those who have been able to give us feedback have approved.
Final Thoughts
We at Gamma want to thank our users, partners, and Arbitrum for allowing us to participate in the STIP program. The Arbitrum STIP has been the largest single incentive program Gamma has deployed to date, and by far, it is our most successful.
Despite the apparent harm to everyone involved, we feel like this is an opportunity to set a standard course of action for projects that are exploited during an incentive period and respond in a highly effective way that preserves the spirit and objectives of the program.
Only a few days ago, OpenBlock Labs designated Gamma as one of the most productive STIP grant recipients. We were incredibly proud of our results.
Efficacy Across Verticals:
The “Annualized Fee Growth Relative to Claimed ARB Grant” chart on the OpenBlock dashboard evaluates the efficiency of ARB grants by comparing the annualized growth in protocol fees to the ARB grants claimed. The leading protocols, like Gamma, demonstrate strong fee growth compared to their received grants, indicating a productive use of ARB incentives. This metric, underpinned by a 7-day moving average, provides insights into the effectiveness of grant allocations in promoting protocol growth and sustainability.
We look forward to working with Arbitrum for the rest of the STIP and future endeavors.
Please let us know if you have any questions regarding this report.
Thank you,
Gamma Strategies