On July 30, hackers found a vulnerability that caused the Curve exploit, leading to a loss of over $47 million across several decentralized finance (DeFi) protocols.
The attack targeted a vulnerability within the liquidity pools on Curve, an automated market maker (AMM) platform.
A Key to the Breach
Vyper, a third-party service used by Curve Finance, versions 0.2.15-0.3.0 malfunctioned, failing to implement reentrancy locks correctly. Security firm Ancilia found that many contracts utilized these vulnerable versions, enabling unauthorized access to funds.
Vyper, resembling Python, is vital for Ethereum smart contract development. The company immediately began investigating and urged projects relying on the flawed versions to contact them.
The Attack on Curve and JPEG’d
Curve Finance’s CEO also confirmed that $22 million in CRV tokens were drained.
Its utility token declined by over 12%, but the protocol assured that the attack didn’t affect crvUSD contracts or associated pools.
Hackers have previously targeted the protocol, and DeFi hacks surged, swindling over $204 million in Q2 of 2023 alone.
The NFT lending protocol JPEG’d also suffered heavily, losing $11 million in cryptocurrency. Initially, Curve referred to the flaw as a conventional, avoidable read-only “re-entrancy” exploit.
However, the platform later clarified this claim. Subsequently, the attackers exploited this vulnerability, which was eventually traced to a flaw in Vyper.
Attackers exploited Alchemix and Metronome DAO
JPEG’d was not alone in its losses, as Alchemix and Metronome DAO also fell victim to similar issues. They lost $13.6 million and $1.6 million, respectively.
Interestingly, a maximal extractable value (MEV) bot identified the attacker’s transaction and paid a charge to carry out a similar transaction, effectively front-running the attacker.
Vyper acknowledged that the compiler for the programming language had failed, rendering the re-entry guards in the projects’ code inoperable. The failure of the guards, designed to protect against such re-entry attacks, illustrates the critical nature of this flaw.
Lessons from the Attack
The theft of $47 million and the jeopardizing of over $100 million from DeFi protocols sternly remind us of the risks associated with the emerging world of decentralized finance. The incident highlights the need for continuous vigilance, robust security measures, and the thorough evaluation of third-party tools and languages in the rapidly evolving crypto landscape.