Curve governance is under attack(not by mochi but by bribery)

# Curve governance is under attack(not by mochi but by bribery) > Disclaimer, i'm not taking any sides here. i'm just writing what i found in mochi.fi shoot down. feel free to provide any detailed info that i missed. > And please correct me if i'm wrong at any point. As an outsider, i cannot access/follow-up every information needed. Curve emergency DAO has killed usdm gauge at 21/11/11 [twitter](https://twitter.com/CurveFinance/status/1458758206595944454?s=20) This is about how Mochi even got there and how it got killed. Story itself is quite interesting imo. It is an abstract of most of the problems that everyone at crypto are trying to hide. tldr; Curve finance is in danger because of the bribery. Also it's governance was not controlled properly ## How mochi got Curve gauge > we are not going to deal with details of mochi.fi itself here Mochi is a stable coin platform trying to become maker DAO for long tail assets. Mission was simple, mint `usdm` with long tail collateral. Since `usdm` was trying to become dollar pegged stable coin, it was obvious that it is going to be listed on curve. So, usdm3Crv factory has been deployed([tx](https://etherscan.io/tx/0x1b1c588c2b483d3b438083c3ebd1fa0b696990e886030c50cced7b30953fd9ad)) through [factory](https://etherscan.io/address/0xb9fc157394af804a3578134a6585c0dc9cc990d4#code) ![](https://i.imgur.com/yvPdNJD.png) through this function ```python= @external def deploy_metapool( _base_pool: address, _name: String[32], _symbol: String[10], _coin: address, _A: uint256, _fee: uint256, _implementation_idx: uint256 = 0, ) -> address: ... log MetaPoolDeployed(_coin, _base_pool, _A, _fee, msg.sender) return pool ``` It seems quite easy. Just simple function call without any restriction will bring up the curve3 metapool. Still, since it needs vote to be added to gauge. If it was a scam, it shouldn't be possible to pass the vote right? But it did passed the vote. It got over 60% votes on adding gauge. ![](https://i.imgur.com/iv644M1.png) https://dao.curve.fi/vote/ownership/87 and these are the top 4 addresses that voted for Mochi - [0x989AEb4d175e16225E39E87d0D97A3360524AD80](https://etherscan.io/address/0x989AEb4d175e16225E39E87d0D97A3360524AD80) - this is convex finance voting - [0x7a16ff8270133f063aab6c9977183d9e72835428](https://etherscan.io/address/0x7a16ff8270133f063aab6c9977183d9e72835428) - this is EOA. don't know who this is - [0xf89501b77b2fa6329f94f5a05fe84cebb5c8b1a0](https://etherscan.io/address/0xf89501b77b2fa6329f94f5a05fe84cebb5c8b1a0) - this is also EOA - [0xf147b8125d2ef93fb6965db97d6746952a133934](https://etherscan.io/address/0xf147b8125d2ef93fb6965db97d6746952a133934) - this is yCRV voting these 4 addresses had more than enough votes to add usdm3crv meta pool to gauge ![](https://i.imgur.com/M7pHxci.png) Since convex team and some yearn core devs were the ones that led usdm3Crv gauge shoot down, it was quite weird for me that convex/yCRV were one of the majorities. So i tried to look deeper why they voted "yes" on the first place. It was quite hard to find any info about this since there weren't any info on curve's snapshot page ![](https://i.imgur.com/yuBVTGu.png) > doesn't seems to have any mochi related proposals So i looked into convex finance instead and found this. ![](https://i.imgur.com/xJ6nYim.png) This is the vote that added gauge to usdm. And here again `0xde1E6A7ED0ad3F61D531a8a78E83CcDdbd6E0c49` this address and 2 core devs were able to execute the vote. As a result, convex's voting power has been casted to "yes" on adding usdm to gauge([tx](https://etherscan.io/tx/0x7b772c0d5efc33a5ec0847483e3af5d8eba16c0bb05a4ee4d4907121dc1608e8)) So, what is this `0xde1E6A7ED0ad3F61D531a8a78E83CcDdbd6E0c49` address that has majority of convex tokens? It is votium's vote proxy. In case anybody does not know what votium is, it is a convex vote bribery protocol [link](https://votium.app/). Weird thing comes up at this part `0xde1E6A7ED0ad3F61D531a8a78E83CcDdbd6E0c49` is contract address which is impossible to sign any message. Also, that contract has not voted for anything on-chain. And i found the reason how this happened. `0xde1E6A7ED0ad3F61D531a8a78E83CcDdbd6E0c49` address has implemented eip-1271 which is standard to accept contract owner's signature as valid signature of the contract instead. It means, tommyg.eth(the owner of the votium) is in full control over that 3.49m CVX at then and 7.78m at [latest vote](https://snapshot.org/#/cvx.eth/proposal/QmW1vfs5jLRK9u2aMrQ96v9a9hhaVxD3mg1Zx1r3kYr9Ko). Considering that total vote locked supply of CVX is 22m [link](https://dune.xyz/queries/137445/271208), it has about 30% of the total supply. Also, veCRV's 38% is allocated to Convex [link](https://dune.xyz/queries/56185/111481), i'm pretty sure at this point that Curve can be controlled by tommyg.eth. Yup that's right. Convex is being controlled by tommyg.eth because of the bribery and all of those who received bribery through votium is responsible for this. It's pretty clear that Mochi got here by bribes and any other Mochi can come up any time soon if we don't stop this. ### Summary Mochi used bribe to get into CRV gauge, through bribing votium without giving out any money([twitter](https://twitter.com/VotiumProtocol/status/1443140646949294084?s=20)). And surprisingly, votium's vote was handled by single EOA(tommyg.eth) not by any governance token or multisig, and that EOA can literally handle 30% of the vlCVX which is more than enough to handle veCRV locked by Convex unless convex multisig refuse to execute the governance(which will question the governance itself). #### PS1. Curve's secret EOA governance Curve lp tokens have this `A` value that determines the bonding between underlying tokens. Which can be increased by `ramp_A()` function. According to [docs](https://curve.readthedocs.io/exchange-pools.html#amplification-coefficient), it should be only called through governance. But, I found out that [it was called by EOA](https://etherscan.io/tx/0x1ca78105749e48e182e1dd0e6040f3d6e9e9febc73d2b2e4e6efaf68be9a36e6) and no forum/governance discussion found. Address that can call this function is admin of factory. Which was EOA but it has been changed to contract address which was [deployed right before mochi shoot down](https://etherscan.io/tx/0xef20d72b29373c591e1911ea6b1bfff3520473a2820cbb4b01d962131b57c4c4). Which ultimately means... That EOA was able to kill any gauge before 11/11. Afterall, we should thank mochi for letting us know these were available at first place, and ultimately forced curve team to actually change the admin to contract not EOA. But still, this EOA has power to change the reward distributor of gauge, which is not described at any point in documentation. And this EOA has done following types of txs - adding Ren Swap as basePool [tx](https://etherscan.io/tx/0xad288f471da6aca0625173e19030d80f3e02e4d736da214babdef29f2a12de77) - batch set asset pool type [tx](https://etherscan.io/tx/0xc4be8507882ba0f9d4f63718a0de8ef9b7b1ca5c2290ec977ade50c49f19e093) - set gauge implementation [tx](https://etherscan.io/tx/0xd882e39553a7aeb690d8e16da4b18f606a85cbb3256a77642e3b3f32964f1e7c) - etc... #### PS2 Can anyone find info about this tx? https://etherscan.io/tx/0xb8462398f6dcb8ae08632276ccb74465dd887cbab5a407772e09f2ce351ae0c8/advanced#eventlog This is the tx that yCRV vault voted for usdm3Crv Gauge, but i cannot find any info/forum about this tx.