Update (July 30, 7:55 PM UTC): This article has been updated with more details about the exploit
On July 30, several stable pools on Curve Finance using Vyper were exploited, resulting in losses of over $47 million. According to Vyper, its 0.2.15, 0.2.16 and 0.3.0 versions are vulnerable to a faulty reentrancy lock.
"The investigation is ongoing, but any projects relying on these versions should contact us immediately," Vyper wrote on X. According to an analysis of the affected contracts by security firm Ancilia, 136 contracts use Vyper 0.2.15 and reentrancy protection, 98 contracts use Vyper 0.2.16, and 226 contracts use Vyper 0.3.0.
Many stable pools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited due to a reentrancy lock failure. We are evaluating the situation and will update the community as things develop. Other pools are safe. https://t.co/eWy2d3cDDj
— Curve Finance (@CurveFinance) July 30, 2023
According to preliminary investigations, some versions of the Vyper compiler did not properly implement reentrancy protection, which prevents multiple functions from executing simultaneously by locking the contract. A reentrancy attack could drain all funds in the contract.
Vyper is a contract-oriented pythonic programming language for the Ethereum Virtual Machine (EVM). Vyper's similarities to Python make the language one of the starting points for Python developers to enter Web3.
Many decentralized finance projects were affected by the attack. Decentralized exchange Ellipsis reported that a small number of stablecoin pools with BNB were exploited using an old Vyper compiler. Alchemix’s alETH-ETH also witnessed $13.6 million in outflows, as well as $11.4 million from JPEGd’s pETH-ETH pool and $1.6 million from Metronome’s sETH-ETH pool. Curving Finance CEO Michael Egorov later confirmed that 32 million CRV tokens, worth more than $22 million, had been drained from the exchange’s pool in a Telegram channel.
Certain types of Curve factory pools suffered a read-only reentrancy attack, resulting in a total loss of $11m (@JPEGd_69) + $13m (@AlchemixFi) + ... Initial investigation found that the vyper compiler (0.2.15) did not implement reentrancy protection correctly. add_liquidity… pic.twitter.com/avaHdtSFsm
— Tony Kay (@tonyke_bot) July 30, 2023
The vulnerability caused panic throughout the DeFi ecosystem, triggering a wave of cross-pool trading and white hat rescue operations. Data from CoinMarketCap shows that Curve Finance's utility token Curve DAO (CRV) fell more than 5% on the news. As Cointelegraph reported, CRV's liquidity has dropped sharply in recent months, making it vulnerable to violent price fluctuations. According to Curve Finance, the crvUSD contract and any of its funding pools were not affected by the attack.
Curve Finance is a DeFi protocol that enables decentralized exchanges (DEX) for stablecoins within Ethereum. The protocol has become the target of a series of incidents within its ecosystem. Just a few days ago, its integrated platform Conic Finance was exploited for $3.26 million in Ether (ETH), with almost the entire stolen amount sent to a new Ethereum address in a single transaction.
DeFi protocols have been the target of multiple attacks over the past few months. According to a report by Web3 portfolio application De.Fi, more than $204 million was defrauded through DeFi hacks and scams in the second quarter of 2023 alone.
Magazine: Should crypto projects negotiate with hackers? Possibly
Author: Deepchain DCNews
Compiled by: Sister Shen
Twitter: DeepChain
Twitter:https://twitter.com/DeepChainUS
