Curve Finance pools exploited by over $47M due to reentrancy vulnerability

Curve Finance, a prominent decentralized finance (DeFi) protocol, suffered a devastating blow due to a reentrancy vulnerability attack, leading to losses surpassing $47 million. The exploit, which occurred on July 30, targeted several stable pools on Curve Finance that were employing the Vyper programming language. The vulnerability impacted 0.2.15, 0.2.16, and 0.3.0 versions of Vyper, compromising the security of numerous contracts across the platform. In this article we will see : What exactly happened with Curve Finance, What is reentrance attack, Which Defi protocols suffered due to attack and How could this attack impact the Web3 ecosystem.

But first a little bit of background knowledge 🙂

What is Curve Finance

Curve Finance protocol facilitates stablecoin exchange within Ethereum. Curve Finance is a platform that allows you to trade and earn interest on stablecoins and other assets that have a similar value. You can also deposit your stablecoins into liquidity pools and earn rewards in CRV, the native token of Curve Finance.

What is Vyper

Vyper is a contract-oriented, pythonic programming language specifically designed for the Ethereum Virtual Machine (EVM). Vyper is similar to Python which makes the Vyper one of the go to language for Python developers jumping into Web3.

About the hack

$47 million were stolen by a hack targeting a reentrancy vulnerability. The exploit was facilitated by flaws in certain versions of the Vyper compiler, which failed to correctly implement the reentrancy guard. This guard is crucial as it prevents multiple functions from executing simultaneously by locking a contract, thereby safeguarding funds from potential malicious drain attempts. Reentrancy attacks pose a significant threat to smart contracts

Scope of the Attack, How much damage did the hack did ?

Following the incident, security firm Ancilia analyzed the affected contracts, revealing that 136 contracts used Vyper 0.2.15, 98 contracts used Vyper 0.2.16, and 226 contracts utilized Vyper 0.3.0. The investigation into the breach is ongoing, and Vyper urged any project relying on these versions to promptly reach out for support.

Which Defi projects are affected by exploit

Several DeFi projects bore the brunt of the attack, with substantial losses reported.

  • Ellipsis : Decentralized exchange Ellipsis experienced an exploit involving a small number of stable pools with BNB which were using old Vyper compiler
  • Alchemix $13.6 million : while Alchemix’s alETH-ETH saw $13.6 million drained.
  • JPEGd $11.4 million:  $11.4 million was exploited on JPEGd’s pETH-ETH pool
  • Metronome $1.6 million : Metronome’s sETH-ETH pool lost $1.6 million.
  • Curve Finance $22 million : In a Telegram channel, Curve Finance CEO Michael Egorov confirmed that the swap pool had been drained of 32 million CRV tokens, worth over $22 million.
“The short answer is that everything that could be drained was drained. The targeted pools are aETH/ETH, msETH/ETH, pETH/ETH and CRV/ETH. All remaining pools are safe and unaffected by the bug,” Curve Finance said on Discord.

How Curve Finance attack affect the crypto Industry

The attack triggered panic across the DeFi ecosystem, leading to a surge of transactions across various pools and prompting a rescue operation by white hat hackers. In response to the news, the utility token Curve DAO (CRV) experienced a decline of over 20% at the time of writing this article. The liquidity of CRV has been notably reduced in recent months, making it susceptible to substantial price swings.

Curve Finance pools exploited
Price of CRV token after exploit

Community members also noted a potential ripple effect on Aave’s protocol, as the falling price of CRV could force Curve founder Michael Egorov to liquidate a $70 million borrowing position on Aave.

BNB Smart Chain hit with copycat Vyper attack, $73K exploited

The programming flaw in the Vyper language has led to a copycat attack on the BNB Smart Chain (BSC), similar to the attack on the decentralized finance (DeFi) protocol Curve Finance.

Among the Ethereum flaws, BlockSec, a blockchain security company, reported on July 30 that three BSC exploits had also resulted in the theft of almost $73,000 in cryptocurrency.

Previous Exploits

The incident at Curve Finance is just one of several attacks that have plagued the DeFi space in recent months. A report by the De.Fi portfolio app suggests that over $204 million was lost to DeFi hacks and scams during the second quarter of 2023.

Interestingly, this recent attack on Curve Finance is not the first security incident the platform has faced. Just days before the latest breach, its omnipool platform Conic Finance was exploited for $3.26 million in Ether, with the entire stolen amount quickly transferred to a new Ethereum address in a single transaction.

Conclusion

The vulnerability that struck Curve Finance has once again raised concerns about the security and robustness of DeFi protocols. The incident highlights the need for continuous and meticulous auditing of smart contracts to identify and rectify potential vulnerabilities. While the investigation is ongoing, it is vital for projects utilizing Vyper versions 0.2.15, 0.2.16, and 0.3.0 to take immediate action and seek support from Vyper.

As the cryptocurrency space continues to evolve, it is essential for all stakeholders to stay vigilant and collaborate in fortifying the ecosystem against potential threats. The DeFi community must come together to develop comprehensive security measures and promote responsible practices to ensure the safety and trust of participants in this exciting and innovative financial landscape.

Also Read :

High Court of Singapore declared cryptocurrency as personal property promotes Bitcoin

How Japan is embracing Crypto by providing proper regulations for crypto companies

Leave a Comment