Several stablecoin pools on Curve Finance using Vyper contracts were drained due to a re-entrancy vulnerability, with millions of dollars’ worth of crypto still at risk.
Posted July 30, 2023 at 9:06 pm EST.
Curve Finance, a decentralized finance (DeFi) protocol that facilitates trading of stablecoins and other tokens, saw several of its liquidity pools exploited on Sunday as a result of a bug in smart contracts that use versions 0.2.15, 0.2.16 and 0.3.0 of the Vyper programming language.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
Other pools are safe. https://t.co/eWy2d3cDDj
— Curve Finance (@CurveFinance) July 30, 2023
Blockchain security firm PeckShield estimates that, so far, around $52 million has been stolen from a number of DeFi protocols that relied on Curve’s liquidity pools. However, some on-chain analysts believe this figure could be much higher.
Among those affected by the attack was decentralized exchange Ellipsis, which said a number of BNB stablepools that used a Vyper compiler had been exploited. DeFi lending platform Alchemix’ss alETH-ETH pool was drained for $13.6 million and NFT lending protocol JPEGd’s pETH-ETH pool lost $11.4 million.
An initial investigation of the exploit pointed to some versions of the Vyper compiler incorrectly implementing a re-entrancy guard, a security measure for smart contracts that fends off re-entrancy exploits by preventing multiple functions from being called at the same time.
Following the chaos, a number of developers across the ecosystem came together to carry out a whitehat rescue operation for the funds at risk. Two of those attempts, however, were front-run by hackers just minutes before they could be executed.
unfortunately the second curve whitehat attempt was frontrun too https://t.co/S3n7tuVI39
— banteg (@bantg) July 30, 2023
Analysts at BlockSec believe that the hackers’ wallet was funded from crypto exchange Binance.
The price of Curve DAO’s native token CRV dropped 15% to $0.62 following the news, prompting fears that a liquidation could be triggered on Curve founder Michael Egorov’s borrowing position on Aave. If the price of CRV falls below $0.42, market participants cautioned that around $100 million could be liquidated, the effects of which would be felt throughout the wider DeFi ecosystem.
Egorov has since paid back a significant amount of his debt, making the risk of a cascading liquidation event far more unlikely.
- SEO Powered Content & PR Distribution. Get Amplified Today.
- PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
- PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
- PlatoESG. Automotive / EVs, Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
- BlockOffsets. Modernizing Environmental Offset Ownership. Access Here.
- Source: https://unchainedcrypto.com/52-million-drained-in-curve-finance-pools-exploit/
- :has
- $100 million
- 10
- 15%
- 16
- 2023
- 30
- 31
- 32
- 500
- 9
- a
- aave
- across
- amount
- Analysts
- and
- ARE
- around
- AS
- Assessing
- At
- attack
- Attempts
- back
- banteg
- BE
- been
- before
- being
- below
- binance
- BlockSec
- bnb
- Borrowing
- Bug
- by
- called
- came
- carry
- Chaos
- community
- contracts
- could
- CRV
- crypto
- crypto exchange
- Crypto Exchange Binance
- curve
- Curve Finance
- Debt
- decentralized
- Decentralized Exchange
- Decentralized Finance
- decentralized finance (DeFi)
- DeFi
- DeFi ecosystem
- DeFi lending
- DeFi protocols
- develop
- developers
- drained
- dropped
- due
- ecosystem
- effects
- Event
- exchange
- executed
- Exploit
- exploited
- exploits
- facilitates
- Falls
- far
- fears
- Figure
- finance
- Firm
- following
- For
- founder
- from
- functions
- funded
- funds
- Guard
- hackers
- had
- Have
- higher
- his
- However
- HTTPS
- if
- implementing
- in
- incorrectly
- initial
- ITS
- July
- just
- language
- lending
- lending platform
- lending protocol
- LIQUIDATED
- Liquidation
- Liquidity
- liquidity pools
- lost
- Making
- Market
- max-width
- measure
- Michael
- million
- millions
- Minutes
- more
- much
- multiple
- native
- Native Token
- news
- NFT
- NFT lending
- number
- of
- off
- on
- On-Chain
- operation
- Other
- out
- paid
- participants
- Peckshield
- photo
- platform
- plato
- Plato Data Intelligence
- PlatoData
- pool
- Pools
- position
- posted
- preventing
- price
- Programming
- protocol
- protocols
- result
- Risk
- safe
- same
- saw
- Second
- security
- several
- significant
- since
- situation
- smart
- Smart Contracts
- So
- so Far
- some
- stablecoin
- Stablecoins
- Still
- stolen
- that
- The
- they
- things
- this
- those
- throughout
- time
- to
- together
- token
- Tokens
- too
- Trading
- triggered
- true
- two
- unlikely
- Unsplash
- Update
- use
- used
- using
- versions
- vulnerability
- Vyper
- Wallet
- was
- we
- were
- which
- wider
- will
- with
- worth
- would
- zephyrnet