Dot Pulse #10 — Kusama’s First Exploit & Karura Deep Dive

Learn about Karura and other Kusama parachains, how the Kusama community fixed an exploit, new farms and governance watcher! 📣

Welcome to Dot Pulse, your window into the Polkadot DeFi ecosystem.

If you’re a humble farmer looking to learn more about Polkadot’s DeFi opportunities, or even if you’re a seasoned DOT/KSM staker, this newsletter is the place to find all the latest events in Dot land.

Subscribe now to receive regular updates about Polkadot development, crowdloans and parachain auctions, new exciting DeFi projects, and anything else worth knowing about Polkadot.

For this and the next few weeks we’ll be running spotlights on the parachains currently live on Kusama (and who might plan to go on Polkadot too), based on their order of inclusion. 

You know how Kusama is always mistaken for a testnet? As we explained in the past, it’s a canary network — a valuable but chaotic blockchain where deploying unaudited code is considered the normal state of things. Real-world usage will always beat any kind of audit or testing, which is why the Polkadot versions of these parachains will likely be far more stable and reliable.

Karura: the DeFi parachain hub

Our first spotlight goes to Karura, the canary deployment of Acala Network. Karura was the first parachain and collected 501k KSM, by far the highest amount of any parachain ($186 million at current prices). 

Its native token, KAR, is used both as the parachain transaction fee token and for governance. With a current price of $8.8, crowdloan participants have earned roughly 50% of their initial KSM commitment, which generated 1.145M KAR. Of these, 30% were immediately usable and the rest linearly vested through the duration of the lease of 48 weeks, or 11 months.

KAR has no value capture mechanisms beyond fee payment and governance, but the Karura treasury is a much more advanced concept than we’re used to with other protocols. For one, it features a “Decentralized Sovereign Wealth Fund” governed by KAR holders. The fund collects any surplus revenue from Karura’s protocols or transaction fees and invests them through staking or through discretionary investment decided by the community. 

The primary goal of the Karura treasury right now is to collect enough KSM reserves to bid for the next parachain slot without using crowdloans. 

What can you do with Karura?

As the first parachain to ever launch, Karura is probably the most developed of them all. It aims to be the DeFi hub of Kusama, incorporating many popular DeFi primitives into the parachain itself. Since its launch it has already integrated many of the elements of its wide roadmap, which includes a Maker-like stablecoin protocol, Karura DEX and Liquid KSM. 

Honzon (at least that’s its Acala name) is the stablecoin generation protocol. On Karura you will be minting kUSD, which works almost exactly like multi-collateral Dai — deposit collateral in a vault and borrow kUSD from it. Currently only KSM and LKSM are enabled for this, but as the network matures we can expect more options! The differences with Dai lie in the core architecture — for example the protocol automatically auctions underwater positions without relying on keepers to trigger the auctions. 

Karura Swap is an AMM decentralized exchange, which works almost exactly like Uniswap V2. On Karura, the DEX is deployed as a runtime module, basically a native blockchain function. Besides KAR, kUSD and KSM, the DEX is starting to add new pairs of tokens from other parachains. 

One cool thing about the DEX (and in general any Karura app) is that you don’t need to actually hold KAR to pay for transaction fees. The system is set up to automatically swap KSM or other tokens into KAR when you’re performing a transaction, benefitting the protocol while ensuring great UX!

Homa is the liquid staking protocol. As we mentioned in the last edition, liquid staking is an absolute must on Polkadot as it’s designed to have at least half of its supply staked at any given time. Liquid staking means that you get to benefit from the staking yield while still being completely free to sell your assets or use them in any other DeFi protocol. Liquid KSM (or DOT) acts as an IOU token for your stake, so you can redeem the underlying tokens whenever you want (for a fee).

What’s next for Karura?

The Karura parachain is still in the process of fully launching. With liquid staking gradually coming online though, the parachain’s core protocols will be all ready!

The next big item on the Karura roadmap is the “EVM+”, an Ethereum-based environment where you’ll be able to deploy Solidity smart contracts while using MetaMask and all the other tools for Solidity development. 

Here, Karura will be competing with Moonriver/Moonbeam, the parachain that placed all its bets on being Ethereum-compatible. To be fair it’d compete with most other parachains too, as Substrate features an EVM pallet that makes it very easy to add Solidity support. Karura and Moonriver are definitely the frontrunners for full support though, as the basic Substrate pallet won’t let you use MetaMask or Ethereum addresses.

Once the EVM+ is deployed, we will most likely see a strong push to onboard other development teams to launch their protocols on Karura. Will developers do that, though? That remains to be seen, as Karura is quite obviously not “neutral” — any aspiring DEX or stablecoin protocol will be competing with the parachain’s core protocols. 

The benefits may still outweigh the risks as Karura is currently leading in terms of cross-parachain support. The liquidity available on the parachain will probably be significant, so it may make sense to deploy “add-ons” to Karura — DeFi legos that aren’t AMMs and stablecoins. The protocol currently has no plans to deploy any other DeFi primitive, so the ecosystem is definitely wide-open in terms of what else you can build on it!

Polkadot Weekly Farms

No auctions currently live, stay tuned for Polkadot auctions starting on November 11!

Active Farms

Earn KAR by staking on Karura DEX

  • Yields are now 24.5% APR (or 48.7% with loyalty bonus) for KAR/KSM. 

  • KSM/LKSM farm appeared with 14% APR (46% with loyalty)

  • KAR/kUSD now offers kUSD surplus as well. APR is 52%, 75.1% with loyalty.

Earn KAR + BNC (Bifrost tokens) when staking kUSD/BNC 

  • APR is 181% with loyalty, 51% without.

Moonriver’s farms continue steady. As before, the following section is not vetted. Rug risk is high, fundamentals are basically absent. Proceed at your own peril.

  • Earn SOLAR in a classic Pool1/Pool2 arrangement, Pool2 yield hovering in the mid triple digits, but there is a Pool1 with over 100% APR.

  • Earn MOON in another Pool1/Pool2 set of farms. Yields at 500% for the Pool 2s.

  • A few more assorted UNI V2 token farms in this list.

In the past week we had what is possibly the first ever DotSama exploit, but thanks to the quick work of Kusama governance (and one unique Kusama/Polkadot feature), nobody lost any money!

The whole thing started when the Karura team discovered a mismatch between the KSM the parachain’s account was holding on the Relay Chain, and what its internal balance said it should have held. A mismatch to the tune of about four million dollars, or 11,000 KSM.

Naturally, this warranted a deeper investigation, and the Karura team quickly found some suspicious transactions that extracted tokens from Karura’s account. The team quickly notified centralized exchanges to ensure they wouldn’t let the attacker cash out his tokens, while disabling the feature that allowed the money to be siphoned in the first place.

The issue was a combination of a bug in an older version of XCM (the cross-chain messaging format) used by Karura, and a slight but critical misconfiguration error. XCM v1, the one used by Karura, contained a bug that would allow external entities to escalate privileges on an account. For general safety reasons, XCM v1 didn’t allow handcrafting XCM messages, so the bug wasn’t exploitable, but on Karura this safety check was removed.

Kusama is now operating on XCM v2, which was audited and is expected to be more robust. This limited the damage the attacker was able to do, as Karura was the only vulnerable parachain.

Recovering the lost funds

Here is where we uncover one way that Polkadot is different from many other blockchains.

On Ethereum, this story would have mostly ended here with the attacker disappearing into the mist. Maybe there would’ve been some drama on Twitter as the team tried to establish negotiations with the attacker (or threaten with doxing/calling the IRS on them).

On Kusama, this story is very different. Its governance has the very special power of being able to transfer tokens from any account, or even mint new ones. It can essentially nullify the results of any hack or mistake, and that’s exactly what it did here!

Motion 373 and Referendum 143 were quickly launched (after a few failed attempts with bad parameters) and voted on to take away 9,999 KSM from the attacker’s account. Another 1000 KSM were burned by the attacker, so now a new proposal will need to be voted on to re-mint those tokens and give them to the Karura account. The proposal accidentally left the attacker with 1 KSM, though the amount can be considered as a finder’s fee.

This event is a clear sign that hacks can’t be successful on DotSama, as governance holds immense power over the blockchain. Polkadot and Parity would’ve loved to have this feature on Ethereum back in the day. 

In fact, the belief that governance should be able to mutate the state is probably the biggest philosophical divergence between the Polkadot and Ethereum communities.

TL;DR: The Moonbeam Foundation is opening up “pre-registrations” for the Moonbeam crowdloan on Polkadot.

TL;DR: Khala Network approved and launched the Khala-Ethereum Bridge. This opens up one more channel between Kusama and Ethereum.

TL;DR: Karura Swap listed the first asset from another parachain, BNC, shortly after launching the bridge. 200,000 BNC and 25,000 KAR are available as liquidity mining rewards. 

TL;DR: Equilibrium has launched xDOT staking, a crowdloan derivative that mints liquid DOT tokens on Genshiro and thus making them immediately useful for DeFi.

TL;DR: Gavin Wood is not-so-subtly inviting people to make use of the Polkadot treasury, which now contains a whopping 18,936,300 DOT ($814 million, if you do the math).

Hey! If I’m succeeding in providing you valuable information on Polkadot ecosystem, share it with your friends! Let’s grow the Dot Pulse community 🎉


All info in this newsletter is purely educational and should only be used to inform your own research. We're not offering investment advice, endorsement of any project or approach, or promise of any outcome. This is prepared using public information and couldn't possibly account for anyone's specific goals or financial situation. Be careful and keep up the honest work!

A guest post by
A techie passionate about (some) humanities. Former editor at Cointelegraph, DeFi enthusiast, self-taught programmer
Subscribe to Andrey