Curve Finance, a decentralized finance (DeFi) protocol that facilitates the trading of stablecoins and other tokens, saw several of its liquidity pools exploited on Sunday as a result of a bug in smart contracts that use versions 0.2.15, 0.2.16 and 0.3.0 of the Vyper programming language.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
Other pools are safe. https://t.co/eWy2d3cDDj
— Curve Finance (@CurveFinance) July 30, 2023
Blockchain security firm PeckShield estimates that, so far, around $52 million has been stolen from a number of DeFi protocols that relied on Curve’s liquidity pools. However, some on-chain analysts believe this figure could be much higher.
Among those affected by the attack was decentralized exchange Ellipsis, which said a number of BNB stablepools that used a Vyper compiler had been exploited. DeFi lending platform Alchemix’s alETH-ETH pool was drained for $13.6 million and NFT lending protocol JPEGd’s pETH-ETH pool lost $11.4 million.
An initial investigation of the exploit pointed to some versions of the Vyper compiler incorrectly implementing a re-entrancy guard, a security measure for smart contracts that fends off re-entrancy exploits by preventing multiple functions from being called at the same time.
Following the chaos, a number of developers across the ecosystem came together to carry out a whitehat rescue operation for the funds at risk. Two of those attempts, however, were front-run by hackers just minutes before they could be executed.
unfortunately the second curve whitehat attempt was frontrun too https://t.co/S3n7tuVI39
— banteg (@bantg) July 30, 2023
Analysts at BlockSec believe that the hackers’ wallet was funded from crypto exchange Binance.
The price of Curve DAO’s native token CRV dropped 15% to $0.62 following the news, prompting fears that a liquidation could be triggered on Curve founder Michael Egorov’s borrowing position on Aave. If the price of CRV falls below $0.42, market participants cautioned that around $100 million could be liquidated, the effects of which would be felt throughout the wider DeFi ecosystem.
Egorov has since paid back a significant amount of his debt, making the risk of a cascading liquidation event far more unlikely.