Curve Finance falls prey to an exploit causing over $47 million in losses. The vulnerability was traced back to flawed reentrancy locks in several versions of Vyper.
Several stable pools on Curve Finance fell victim to an exploit on July 30, leading to losses exceeding $47 million. The culprit, according to the Vyper team, lies in its versions 0.2.15, 0.2.16, and 0.3.0, which have been found to have faulty reentrancy locks.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
— Curve Finance (@CurveFinance) July 30, 2023
Other pools are safe. https://t.co/eWy2d3cDDj
Vyper, still investigating the issue, urged any project using these versions to get in touch immediately. Security firm Ancilia identified 136 contracts using Vyper 0.2.15, 98 contracts on 0.2.16, and 226 contracts on 0.3.0, all with reentrant protection.
Preliminary investigation findings suggest that the reentrancy guard, which secures contracts from multiple simultaneous executions, was not implemented correctly in certain Vyper compiler versions, thereby making reentrancy attacks feasible. Such attacks can potentially empty a contract of all its funds.
Numerous DeFi projects suffered due to the attack. Decentralized exchange Ellipsis reported a minor exploitation of stable pools with BNB, attributing it to an outdated Vyper compiler. Alchemix's alETH-ETH experienced a $13.6 million outflow, while JPEGd's pETH-ETH pool and Metronome's sETH-ETH pool lost $11.4 million and $1.6 million, respectively. Curve Finance's CEO, Michael Egorov, later verified that over $22 million worth of 32 million CRV tokens had been siphoned from the swap pool.
Certain type of Curve factory pool is encountering read-only reentrancy attack and causing a total loss of $11m(@JPEGd_69) + $13m(@AlchemixFi) + ...
— Tony KΞ (@tonyke_bot) July 30, 2023
Initial investigation founds that vyper compiler (0.2.15) doesn't implement the reentrancy guard correctly.
add_liquidity and… pic.twitter.com/avaHdtSFsm
The exploit triggered a wave of panic throughout the DeFi sector, leading to a flurry of transactions across pools and initiating a rescue operation led by ethical hackers. CoinMarketCap data indicated drop of over 20% in the value of Curve Finance's utility token CRV following the news (at the time of writing). According to Curve Finance, crvUSD contracts and pools containing it were unaffected by the attack.
It's not the first time Curve has been a target for hackers. Conic Finance, its omnipool platform, recently saw a theft of over $3 million in ETH.
Subscribe to our newsletter and follow us on Twitter.
In a shocking twist, Justice Mellor's written report confirms the content of his initial oral report.
Shorting a stock in raging bull mode has one likely outcome.
Anyone buying one of Fidelity's all-in-one ETFs will now gain exposure to bitcoin.
As Bitcoin takes center stage, gold ETFs are seeing significant outflows.
Everything you need to know about Blockchain, Artificial Intelligence, Web3 and Finance.