Vyper bug attacks Curve Finance in $70m exploit

Decentralised exchange Curve Finance was a victim of a series of attacks yesterday, Sunday 30 July, that resulted in a loss of more than $70million in various digital assets.

The hacks were traced back to a Vyper, which is an alternative, third-party programming language for Ethereum smart contracts. A bug in this caused some versions of the Ethereum virtual machine (EVM) compiler to malfunction, putting Curve Finance at risk of liquidation.

As per the official announcement on Twitter, Curve said that its other liquidity pools that don’t leverage the Vyper language are safe.

The 0.2.15, 0.2.16, and 0.3.0 versions of Vyper’s compiler failed to properly implement reentrancy lock, which is a security mechanism that prevents the calling of a function in a smart contract multiple times before the previous call has been completed.

These locks ensure that malicious actors don’t repeatedly call smart contract functions that withdraw funds. When Vyper started experiencing the failure in its compiler, attackers exploited this vulnerability and repeatedly called the function across a number of protocols that use the affected versions of Vyper compilers.

The main target here was Curve Finance (CRV) pools, which are a type of automated market maker (AMM) providing efficient and low-cost trading for stablecoins. Taking the most rough beating, the initial estimates of the exploit on CRV pools was revealed to be as much as $70m.

As confirmed by Curve, the affected pools which were “drained or white hacked” included alETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH.

NFT-lending protocol JPEG’d was one of the first targets to identify an issue with its pool on Curve. According to decentralised finance security firm Decurity, $11m worth of cryptocurrency was stolen from the protocol.

Soon after, liquidity pools of Alchemix and Metronome DAO lost $13.6m and $1.6m, respectively, in a similar manner. Pendle’s pETH-ETH pool was also affected, taking the loss of the broader hack to almost $70m.

However, some of the hacks were reportedly executed by white hat hackers. This could mean that the total amount lost could be closer to $50m.

Assuring its users, Metronome DAO stated in a Twitter post that it started investigations to find out what happened. It also described the attack as “part of a broader set of exploits”.

Curve Finance is one of the leading decentralised exchange DeFi as it has about $3billion in liquidity. The platform carries much importance for stablecoin swap markets, which luckily wasn’t affected in the recent attack.

Following the recent string of hacks, Curve’s $CRV governance and rewards token went down by almost 14%. After falling as low as $0.58 yesterday, it was trading at $0.64 at the time press.