Key takeaways:
- Several secure pools employing Vyper on Curve Finance were taken advantage of, resulting in roughly $47 million in losses.
- A white hat hacker recovered about 2,879 Ether, valued at approximately $5.4 million, from an exploiter and returned it to Curve Finance on the same day.
On July 30, several secure pools employing Vyper on Curve Finance were taken advantage of, resulting in roughly $47 million in losses.
Vyper claims that the reentrancy locks in its 0.2.15, 0.2.16, and 0.3.0 versions are susceptible to failure. On X (predecessor to Twitter), Vyper wrote:
“The investigation is ongoing, but any project relying on these versions should immediately reach out to us,”
According to security company Ancilia’s research of the impacted contracts, 136 contracts utilized Vyper 0.2.15 with reentrant protection, 98 contracts used Vyper 0.2.16, and 226 contracts used Vyper 0.3.0.
Targeting the Ethereum Virtual Machine (EVM), Vyper is a contract-oriented, pythonic programming language. Due to its resemblance to Python, Vyper is a good place for Python developers to start while learning Web3.
According to initial investigations, some Vyper compiler versions do not properly implement the reentrancy guard, which locks a contract to stop several functions from running simultaneously. Attacks involving reentry have the ability to use up all contract funds.
The security breach had an impact on several projects involving decentralized finance. According to the decentralized exchange Ellipsis, an ancient Vyper compiler was used to abuse a small number of stable pools with BNB. In addition, $13.6 million left Alchemix’s alETH-ETH, $11.4 million left JPEGd’s pETH-ETH pool, and $1.6 million left Metronome’s sETH-ETH pool.ย
Later, Michael Egorov, the CEO of Curve Finance, admitted that 32 million CRV tokens, worth more than $22 million, had been took off from the swap pool. Curve Finance stated on Discord:
“The short answer is that everything that could be drained was drained. The targeted pools are aETH/ETH, msETH/ETH, pETH/ETH and CRV/ETH. All remaining pools are safe and unaffected by the bug,”
The exploit caused fear throughout the DeFi ecosystem, resulting in a wave of pool transactions and a white hat rescue effort.
The decentralized exchange of stablecoins within Ethereum is made possible by the DeFi protocol Curve Finance. Several incidents within the protocol’s ecosystem have targeted it.
Conic Finance’s omnipool platform was recently compromised for $3.26 million in ether, with nearly the whole amount stolen being moved to a new Ethereum address in just one transaction.
In the midst of the current incident, a white hat hacker was able to recover about 2,879 Ether, valued at approximately $5.4 million, from an exploiter and return it to the DeFi protocol Curve Finance on the same day.
Some of the stolen goods were seized by an ethical hacker and returned to Curve Finance. With the help of a front-running bot, a bot operator with the handle “c0ffeebabe.eth” secured about 3,000 ETH from a criminal hacker.
The money was subsequently transferred back to the Curve deployer address, which appears to be the genuine owner of the funds.
Twitter accounts posing as Curve Finance employees and hack victims are promoting a phony reimbursement plan that is aimed at people who have already lost their money as a result of the recent attack. Plans for a refund have yet to be announced on the official Curve Finance account.
In the meantime, new regulations have been approved by the US Securities and Exchange Commission (SEC) for cybersecurity events involving US public businesses. These businesses must comply with the regulation and notify a cyberattack four days after it is deemed “material.”