The decentralized finance (DeFi) ecosystem has had a difficult week after a seismic security incident resulted in over $61 million theft from Curve Finance‘s pools. This has put multiple protocols in danger of more widespread attacks. The last few days witnessed efforts to retrieve the funds stolen after this attack disclosed weaknesses in many DeFi projects. A report by Cointelegraph shared details about the incident and what happened since the hack on July 30.
Table of Contents
ToggleVyper Exploit Shakes DeFi: Millions Lost in Curve Finance Pools
On July 30, hackers exploited several stable pools on Curve Finance using the Vyper programming language, resulting in losses of over $61 million (total losses were initially projected to be $47 million). Versions 0.2.15, 0.2.16, and 0.3.0 of Vyper were affected by the vulnerability.
The attack had an impact on several DeFi projects. A few stable pools holding BNB $242 were exploited using an old Vyper compiler, according to decentralized exchange (DEX) Ellipsis. The attack also resulted in $13.6 million of withdrawals from Alchemix’s alETH-ETH, $11.4 million from JPEGd’s pETH-ETH pool, and $1.6 million from Metronome’s sETH-ETH pool. Michael Egorov, CEO of Curve Finance, also acknowledged that someone had taken out 32 million Curve DAO (CRV) tokens valued at more than $22 million from the swap pool.
Due to the same flaw, the BNB Smart Chain (BSC) was also a target of copycat attacks, and three exploits resulted in the theft of almost $73,000 worth of bitcoins from the BSC.
Since word of the attack spread, white hat and black hat hackers have been squabbling on-chain in an effort to stop each other’s attempts to use the vulnerability or recover funds.
Initial studies revealed that some Vyper compiler versions did not correctly implement the reentrancy guard, which forbids concurrent execution of multiple functions by locking a contract.
Concerns regarding the impact of the exploit on the crypto ecosystem were raised as a result of this, in particular since the vulnerability might put all pools using Wrapped Ether (WETH) in danger of attack.
Vyper is a contract programming language created for the Ethereum Virtual Machine. Given that it is one of the most frequently used Web3 programming languages, the flaw in three of its versions could put a number of other protocols at risk.
The exploit also produced one of the largest ever maximal extractable value (MEV) reward blocks, at $1,833 and 584.05 ETH. “Eric.eth,” an Ethereum core developer, claims that the bot discovered an impending hack in the mempool, copied the transaction, and front-ran it. To accomplish this, he said, “They pay the block producer a lot of ETH to be in front of the line.” MEV bots have the ability to foresee upcoming liquidation transactions and front-run them to purchase the assets being liquidated first and at a discount.
Read : Cutting-Edge DeFi Cryptocurrencies and DApps
Takeaways
The Curve-Vyper vulnerability is a stack reminder of the difficulties DeFi projects face in safeguarding the security and integrity of their platforms. As the crypto space keeps evolving, we can’t over-emphasize how important strong security measures and thorough code checks are.