Chaos Labs - Update on Bybit Security Event and USDe Market Reaction

Proposals
1

Overview

Chaos Labs provides an update related to Ethena assets in light of the recent Bybit security event.

sUSD/sUSDe

There appears to have been a security incident on Bybit that involved over $1.4B in stETH and ETH being transferred to the address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2, which has begun selling and transferring the received funds. Bybit is one of the largest exchanges working with Ethena, with more than $1B worth of assets hedged on the exchange.

image
image1996×414 112 KB

However, Ethena does not hold its backing assets on the exchange; they are instead custodied off-exchange, with Bybit then crediting them with a balance according to the custodied assets; this credit is used to hedge the backing assets. Additionally, balances are settled daily, meaning that Ethena maintains risk exposure to the daily profits/losses from its short positions.

Ethena’s official X account stated that “Not a single dollar of spot backing value is held on any exchange, including Bybit. Currently there is <$30m of aggregate unrealised PNL relating to Bybit hedge positions, which is less than half of the reserve fund. USDe remains more than fully collateralised at this time.”

We are monitoring the situation and are in touch with Ethena and other first responders.

Currently, no action is necessary; we will update the community in the event that this changes. Chaos Labs is prepared to respond swiftly to any changing market conditions.

3 Likes
2

Thank CHAOS LABS for your efforts. Please continue to follow up on the Bybit security incident to ensure the asset security of the Venus protocol.

3

Overview

Chaos Labs provides a post-mortem related to the Bybit security event regarding Venus’s integration of sUSDe and USDe.

Timeline of Events

On Feb-21-2025 at 14:16 UTC, the attacker transferred the funds from Bybit Cold Wallet to his personal EOA.
The theft was performed over 4 transactions:

Following the transactions, at 14:32 UTC well known on-chain sleuth ZachXBT on telegram confirmed that it was an exploit.

image

At 15:16 Ethena confirmed that its funds are held with custody solutions such as Copper for Bybit, and that the unrealized negative PNL on Bybit at the time of the post was limited to $30M.

image (1)

At 15:57 Ethena announced that the unrealized PNL was reduced from $30M to $10M.

image (2)

At 16:12 Ethena announced that the unrealized PNL exposure to Bybit has been reduced to zero.

At 16:22 Bybit’s CEO began a livestream, announcing the following:

  • Bybit was performing a regular Cold to Warm wallet transfer
  • The signing interface was showing the correct transaction
  • The transactions that were signed instead gave control of Bybit’s Ethereum Cold wallet to the attacker
  • BTC and other assets were not affected
  • Bybit was performing withdrawals
  • Bybit CEO confirms that Bybit funds are 1-1 backed
  • For immediate ETH withdraws, Bybit will obtain a loan from partners

Temporary USDe Depeg and Oracle Deviations

During the incident described above, USDe began to depeg across all venues. However, onchain depegs were less severe because redemptions functioned efficiently, which prevented further onchain price deviations; arbitrageurs were able to buy discounted USDe and redeem it for a profit.

Curve USDe/USDC Price

For instance, the USDC/USDe Curve Pool realized a depeg of $0.994 that lasted for approximately one hour before recovering to around $0.999 approximately at 16:15 UTC.

image (3)
image (3)1584×1082 58.7 KB

Bybit USDe/USDT Price

The same did not hold true on Bybit, which displayed a larger and longer lasting discount — dropping to 0.96 USDT — in part because of the greater friction involved with redeeming (s)USDe held on the exchange.

image (4)
image (4)1472×783 114 KB

Chainlink USDe/USD Feed

This ultimately resulted in the Chainlink USDe/USD market feed trading at a significantly lower value than observed on chain, reaching as low as $0.977.

Screenshot 2025-02-21 at 6.16.25 PM
Screenshot 2025-02-21 at 6.16.25 PM1920×1280 57 KB

Curve sDAI/sUSDe Price

Additionally, sUSDe was also affected by this incident and began to depeg. Below, we present the sUSDe/sDAI price from the sDAI/sUSDe Curve Pool over the same timeframe. This pool currently holds $48.55M in TVL. The asset began depegging around 15:35 UTC, reaching a maximum discount of 800bps to sDAI; a much larger value due to liquidations and a lack of atomic offloading.

Screenshot 2025-02-21 at 7.03.31 PM
Screenshot 2025-02-21 at 7.03.31 PM1920×1276 56.3 KB

Similarly, the depeg lasted for approximately one hour before recovering at around 16:30 UTC.

Redemptions

Since the exploit, roughly $117M of USDe has been redeemed through the Mint/Redeem contract, primarily for USDT. Following the exploit and the initial redemption demand, Ethena quickly increased the Redeem Buffer significantly to $250M and maintained it at that value through continuous replenishments until the peg was recovered.

image (5)
image (5)1200×800 46.1 KB

Below, we present the distribution of the top USDe redeemers since the exploit. The largest redemption came from address 0x08d92207a07e0789cfcf19413123c3eb919d3480, with a redemption amount of $30.6M.

image (6)
image (6)1000×800 69.2 KB

On Ethena’s side, the majority of replenishments within the redemption contract came within a two block window, indicating that Ethena’s redemption mechanism was functioning effectively and allowing users to exit the asset without generating sell pressure in the market.

image (7)
image (7)1200×800 32 KB

As displayed below, fee size did not increase along with redemption size, again indicating that Ethena efficiently processed redemptions, helping to maintain (s)USDe’s peg.

image (8)
image (8)1200×800 41.1 KB

Conclusion

In the face of the largest hack in crypto’s history, Ethena’s systems functioned well: no bad debt was generated on Venus, and the asset’s depeg was relatively minimal. While the exposure remains neutralized, the exact nominal exposure to Bybit today remains unknown.

With redemptions executed atomically onchain, ensuring that, assuming the protocol optimizes available liquidity in the withdrawal buffer, the onchain market price aligns closely with the redemption price.

However, when USDe has significant utilization as collateral on CEXes, when at risk, the VWAP market price is susceptible to artificial market price dislocations that deviate from the onchain efficiency, due to implied exposure to the CEX, users panicking into other stablecoins, and, on the flip side, a less reactive market due to the implied delta risk associated with performing redemptions through obtaining USDe on the CEX.

As such, this led to market price oracles returning values that were lower than anything observed onchain; a relatively inefficient phenomenon when considering the fundamental value associated with USDe as observed onchain.

This issue could be mitigated through the use of a Proof of Reserves (PoR) oracle when available. However, despite the price oracle deviation, thanks to the careful parameterization of the asset, Venus did not incur any bad debt.

2 Likes