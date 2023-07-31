Multiple projects were affected by an attack on some of Curve's stablecoin pools due to bugs in the Vyper smart contract language layer, causing the reentrancy lock defense of these projects to fail.

Odaily Planet Daily News reports that a variety of well-known projects experienced a failure in their reentrancy lock defenses due to bugs in the smart contract language layer. Yu Xian, the founder of SlowMist, commented on the losses incurred by these projects, stating that black hat and white hat hackers, as well as MEV Bots, have taken advantage of these vulnerabilities to manipulate and front-run funds. The issue this time involved the less popular Vyper smart contract language and not Solidity.

According to previous reports, the alETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH pools on Curve were attacked due to recursive lock vulnerabilities found in certain versions of Vyper (0.2.15, 0.2.16, and 0.3.0). Projects affected by the attack include DeFi lending protocol Alchemix, DeFi public product JPEG'd, DeFi synthetic asset protocol Metronome, cross-chain bridge deBridge, BNB Chain-based DEX Ellipsis using the Curve mechanism, and Curve CRV/ETH pool. An estimated loss of around $5.2 million has been reported.

Following the attack, the MEV robot c0ffeebabe.eth returned 2,879 ETH (approximately $5.4 million) to the Curve.fi: Deployer address.

