Curve Stablecoin Exchange Hit by $50 Million Cyber Attack Due to Vyper Vulnerability

Updated: 31 July 2023

Disclosure

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Join Our Telegram channel to stay up to date on breaking news coverage

Curve stablecoin exchange suffered a cyber attack leading to losses of $50 million due to vulnerabilities in some version of Vyper programming language.

Vyper tweeted that its 0.2.15, 0.2.16 and 0.3.0 versions are vulnerable to malfunctioning of so-called reentrancy locks.

Curve Finance Suffers an Exploit

Unlike other exchanges which use middlemen, Curve Finance uses smart contracts to provide users with services such as stablecoin borrowing, lending, and trading. These smart contracts can be written in a variety of languages including Solidity, Yul, and Vyper.

According to Vyper, any projects using the 0.2.15, 0.2.16, and 0.3.0 versions of the languages are vulnerable to malfunctioning reentrancy locks. Reentrancy is a common flaw that lets attackers fool a smart contract by repeatedly calling a protocol in order to take money.

PSA: Vyper versions 0.2.15, 0.2.16 and 0.3.0 are vulnerable to malfunctioning reentrancy locks. The investigation is ongoing but any project relying on these versions should immediately reach out to us.

— Vyper (@vyperlang) July 30, 2023

Using this vulnerability, Curve Finance reported that hackers were able to drain some stablecoin pools on the platform, used for pricing and liquidity on a number of different DeFi services. Since Curve is not the only platform that uses Vyper, other projects that use the language are also susceptible to the same vulnerability.

A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.

Other pools are safe. https://t.co/eWy2d3cDDj

— Curve Finance (@CurveFinance) July 30, 2023

According to Curve Finance CEO, Michael Egorov, the crv/eth swap pool was drained of 32 million CRV tokens, the platform’s native token, worth over $22 million. In addition, the company revealed that $13.6 million was stolen from Alchemix’s alETH-ETH and $11.4 million left JPEGd’s pETH-ETH pool.

An additional $1.6 million was also taken from Metronome’s sETH-ETH pool bringing the total loss up to at least $48.6 million worth of crypto. The platform also warned that the Tricrypto pool, made of three tokens: USDC, wBTC, and ETH was potentially affected. “Auditors and Vyper devs could not find a profitable exploit, but please exit that one,” Curve warned.

In total, the vulnerability has put over $100 million worth of crypto assets at risk across various pools on the platform.

Additionally, another BNB Chain-based exchange, Ellipsis, has disclosed that a couple of swap pools were also exploited as a result of the Vyper vulnerability. The platform is yet to release the specific value of assets lost.

A small number of stablepools with BNB using an old Vyper compiler have been exploited.

We are assessing the situation and will update the community on any further findings. https://t.co/pxkhRRSr5w

— Ellipsis (@Ellipsisfi) July 30, 2023

Curve Exploit Triggers DeFi Panic

The attack caused fear throughout the DeFi ecosystem, resulting in a wave of pool transactions and a white hat rescue effort. Curve Finance has been able to recover some funds courtesy of ‘c0ffeebabe.eth’, a bot operator, who returned 2,879 ETH, or around $5.5 million at today’s values, to the platform.

c0ffeebabe.eth frontruns another one for 2879 ETH pic.twitter.com/RCqLaJMaZv

— Spreek (@spreekaway) July 30, 2023

As a result of the panic, the lending and borrowing protocol Aave turned off its CRV borrowing feature. Egorov owes a huge $100 million CRV debt on Aave, and if CRV prices increase further and hit the liquidation level, the protocol will be forced to liquidate the CRV positions.

According to Coinmarketcap, the CRV token price has dropped by over 12% following the exploit, to trade at $0.6386 at the time of writing. As such, the South Korean exchange, Upbit has suspended any deposits or withdrawals of the token.

“Today, certain vulnerabilities have been discovered in some of the stablecoin pools associated with Curve (CRV),” the exchange said adding “As a result, CRV is currently experiencing significant volatility. We advise exercising caution when considering any investments related to CRV.”

Smog (SMOG) - Meme Coin With Rewards

Rating