Curve suffers multi-million dollar losses in attack, protocol and associated risks all at once!
This morning, the decentralized exchange Curve Finance on Ethereum was attacked due to a reentrancy bug, resulting in total losses exceeding $50 million. Other related DeFi protocols have also been severely affected, causing significant price fluctuations on major trading platforms. This article will detail the impacted protocols and associated risks.
Recap: Curve Finance suffered a reentrancy bug, with total losses exceeding $41 million and CRV dropping by 16%.
Table of Contents
Exploitation of Vulnerability in Curve Finance Protocol Version
Root Cause
The vulnerability in Curve Finance, as per the source, stemmed from a "reentrancy bug" where hackers exploited a specific function by repeatedly calling it within a single transaction, disrupting the original multi-step verification process. This enabled them to continue malicious operations, allowing them to steal funds beyond their authorized limits from the liquidity pool.
This vulnerability could be mitigated by implementing a "reentry lock" to prevent contracts from executing specific functions multiple times concurrently.
However, certain versions of the Vyper programming language did not correctly trigger this protective mechanism, as reported by Vyper here. Versions 0.2.15, 0.2.16, and 0.3.0 were found to be vulnerable.
Prior to this, the lending protocol EraLend on Ethereum's zkSync also fell victim to a similar Read-only Reentrancy Attack. It is speculated that malicious actors, following that incident, discovered similar vulnerabilities in various protocols, subsequently launching attacks.
Previous Patch of the Vulnerability
Furthermore, according to security researcher Chaofan Shou on-chain, the vulnerability was inadvertently patched as early as version 0.3.1 of Vyper in 2021.
It remains uncertain whether the Vyper team was aware of this, but what is known is that this critical vulnerability was not explicitly flagged or marked.
What is Vyper?
Vyper is an Ethereum-compatible smart contract programming language that supports Python and is designed for the Ethereum Virtual Machine (EVM). Known for its developer-friendly nature compared to Solidity, it is considered one of the most widely used languages in Web3, indicating its significant impact.
Affected Protocols and Associated Risks
Losses Incurred by Various Protocols
Currently affected protocols, as per statistics, are as follows:
- Curve: CRV-ETH pool, $24.1 million loss
- Alchemix: alETH-ETH pool, $20.61 million loss
- Metronome: sETH-ETH pool, $11.4 million loss
- JPEGd: pETH-ETH pool, $1.62 million loss
According to data analyst Tay, some funds have been progressively returned by multiple white-hat hackers.
Related Risks
Cybersecurity firm Ancilia stated that there are currently 98 smart contracts written using Vyper 0.2.16 and an additional 226 contracts using Vyper 0.3.0, indicating many protocols are still at risk due to not upgrading. Audit firm BlockSec also warned that this vulnerability could expose all liquidity pools related to wETH to risks.
Additionally, Curve founder Mich Will currently holds four substantial loans, with the largest debt of $65 million on the Aave protocol, with a liquidation price for $CRV between $0.37 and 0.4.
Continued Instances of Mimicked Attacks
Notably, certain stablecoin pools on the Binance Smart Chain (BSC) have also been subjected to a series of similar Vyper vulnerability mimicked attacks, where other hackers apply the same attack method on different targets.
According to BlockSec data, attackers managed to steal $73,800 in cryptocurrency, and such attacks are likely to persist.
Related
- BitGo's new stablecoin USDS is set to launch in 2025, sharing profits with liquidity providers.
- Ripple upgrades XRPL in collaboration with Futureverse, investing tens of millions of dollars in Japan and South Korea.
- Ignas: Korean projects repeatedly create bullish market miracles, optimistic about Story sparking another trend