Hackers Exploit Curve Liquidity Pools, Stealing $47M from DeFi Protocols

TL;DR

On July 30, hackers found a vulnerability that caused the Curve exploit, leading to a loss of over $47 million across several decentralized finance (DeFi) protocols.

The attack targeted a vulnerability within the liquidity pools on Curve, an automated market maker (AMM) platform.

A Key to the Breach

Vyper, a third-party service used by Curve Finance, versions 0.2.15-0.3.0 malfunctioned, failing to implement reentrancy locks correctly. Security firm Ancilia found that many contracts utilized these vulnerable versions, enabling unauthorized access to funds.

As a result of an issue in Vyper compiler in versions 0.2.15-0.3.0, following pools were hacked:

crv/eth
aleth/eth
mseth/eth
peth/eth

Another pool potentially affected is arbitrum’s tricrypto. Auditors and Vyper devs could not find a profitable exploit, but please exit that one

— Curve Finance (@CurveFinance) July 31, 2023

Vyper, resembling Python, is vital for Ethereum smart contract development. The company immediately began investigating and urged projects relying on the flawed versions to contact them.

The Attack on Curve and JPEG’d

Curve Finance’s CEO also confirmed that $22 million in CRV tokens were drained.

Its utility token declined by over 12%, but the protocol assured that the attack didn’t affect crvUSD contracts or associated pools.

Hackers have previously targeted the protocol, and DeFi hacks surged, swindling over $204 million in Q2 of 2023 alone.

The NFT lending protocol JPEG’d also suffered heavily, losing $11 million in cryptocurrency. Initially, Curve referred to the flaw as a conventional, avoidable read-only “re-entrancy” exploit.

However, the platform later clarified this claim. Subsequently, the attackers exploited this vulnerability, which was eventually traced to a flaw in Vyper.

Attackers exploited Alchemix and Metronome DAO

JPEG’d was not alone in its losses, as Alchemix and Metronome DAO also fell victim to similar issues. They lost $13.6 million and $1.6 million, respectively.

Interestingly, a maximal extractable value (MEV) bot identified the attacker’s transaction and paid a charge to carry out a similar transaction, effectively front-running the attacker.

Just a casual Sunday in crypto.@JPEGd_69 has just been exploited for 6k ETH (~11 million USD) through a Curve read-only reentrancy attack.

Icing on the cake? The attacker got front-run by an MEV bot. Only in crypto can you get rekt like this.

Discovered by: @peckshield. pic.twitter.com/9k4npUUHVI

— W3nzel.eth (@thisiswenzel) July 30, 2023

Vyper acknowledged that the compiler for the programming language had failed, rendering the re-entry guards in the projects’ code inoperable. The failure of the guards, designed to protect against such re-entry attacks, illustrates the critical nature of this flaw.

Lessons from the Attack

The theft of $47 million and the jeopardizing of over $100 million from DeFi protocols sternly remind us of the risks associated with the emerging world of decentralized finance. The incident highlights the need for continuous vigilance, robust security measures, and the thorough evaluation of third-party tools and languages in the rapidly evolving crypto landscape.