Curve-Vyper exploit: The whole story so far – DeviceFile
0

Curve-Vyper exploit: The whole story so far

Curve Finance pools were targeted by hackers in a reentrancy attack on July 30,

sending shockwaves across the DeFi ecosystem. Cointelegraph compiled the week’s events.

The decentralized finance (DeFi) ecosystem has experienced a challenging week after a seismic security

incident led to over $61 million being stolen from Curve Finance’s pools, leaving several protocols facing broader contagion risks.

This attack exposed vulnerabilities across DeFi projects and sparked efforts to recover stolen funds over the past few days.

As the community navigates the aftermath of this exploit, Cointelegraph compiled the week’s events,

presenting a timeline of what happened since the hack on July 30.

The hack: Curve Finance pools are exploited for over $61 million due to reentrancy vulnerability

Several stable pools on Curve Finance using the Vyper programming language were

exploited on July 30, with losses reaching over $61 million (total losses were initially

estimated at $47 million). The vulnerability was found on Vyper’s versions 0.2.15, 0.2.16 and 0.3.0.

Several DeFi projects were affected by the attack. Decentralized exchange (DEX) Ellipsis reported that a small number of stable pools with BNB

BNB$241

were exploited using an old Vyper compiler. Alchemix’s alETH-ETH also witnessed $13.6 million of

outflows due to the attack, along with $11.4 million exploited on JPEGd’s pETH-ETH pool and $1.6

million from Metronome’s sETH-ETH pool. Curve Finance CEO Michael Egorov also confirmed

that 32 million Curve DAO (CRV) tokens worth over $22 million had been drained from the swap pool.

The BNB Smart Chain (BSC) was also a victim of copycat attacks due to the same vulnerability, with

around $73,000 worth of cryptocurrencies on BSC across three exploits being stolen.

Since news of the exploit broke, white hat and black hat hackers have been duking it out on-chain,

attempting to disrupt each others’ exploit attempts or efforts to recover funds.

Preliminary investigations found that some versions of the Vyper compiler did not correctly implement the reentrancy guard, which prevents multiple functions from being executed at the same time by locking a contract.

The impact: Vyper vulnerability exposes DeFi ecosystem to stress tests; CRV price plummets

The security incident exposed DeFi protocols to a stress test in the following days,

raising concerns about the impact of the exploit on the crypto ecosystem — in particular, because the vulnerability could place all pools with Wrapped Ether (WETH) at risk of attack.

Vyper is a contract programming language designed for the Ethereum Virtual Machine.

It is considered one of the most widely used Web3 programming languages,

meaning the bug in three of its versions could threaten several other protocols.

The exploit also led to one of the largest ever maximal extractable value (MEV) reward blocks of 584.05 Ether ETHtickers down$1,832

. According to Ethereum core developer “eric.eth,” the bot noticed an incoming hack

in the mempool, reproduced the transaction and front-ran it. “To do so they pay the

block producer a lot of ETH to be front of the line,” he explained. MEV bots can see

pending liquidation transactions and front-run them to buy the liquidated assets first at a discount.

Curve’s CEO scurries to pay collateralized loans

Threats elsewhere could also cause ripple effects across DeFi. Curve Finance founder Michael Egorov had around $100 million in loans backed by 47% of the circulating supply of the protocol’s native token, CRV.

However, the CRV price dropped nearly 30% following the hack, falling to a low of $0.48 amid fears that Egorov’s collateralized loans would be liquidated.

To reduce his debt position, Egorov sold 39.25 million CRV tokens to several notable DeFi investors,

including Justin Sun, Machi Big Brother and DWF Labs, for a total of $15.8 million.

The buyers purchased CRV at $0.40 per token, a 25% discount to the market price

at the time. In addition, Egorov made partial payments on two loans on Aave and Frax Finance.

CEX price feed prevents Curve price from collapsing

The CRV token price collapsed on the DeFi market due to the significant draining

of several pools; however, it was eventually saved by the centralized exchange

(CEX) price feed. The CRV price hit $0.086 on DEXs but traded at $0.60 on

CEXs, preventing the token’s price from collapsing to zero.

The ironic incident drew the attention of Binance CEO Changpeng Zhao, who chuckled at the fact that, in the end, it was a CEX price feed that saved the DeFi protocol.

Also reacting to an uncertain environment, Curve’s native stablecoin, crvUSD, briefly depegged on Aug. 3. The algorithmic stablecoin fell by as much as 0.35% before regaining its peg to the United States

dollar. Recently launched, crvUSD uses a mechanism for maintaining its peg called the PegKeeper

algorithm, which ensures that the crvUSD value is properly backed by collateral while balancing supply and demand.

DeFi community: Ethical hacker retrieves $5.4M for Curve Finance amid exploit

During the crisis, the DeFi community stood by Curve Finance. On July 31, a white hat hacker managed

to retrieve around 2,879 Ether worth around $5.4 million from an exploiter and returned the ETH to

Curve Finance. Hours later, another ethical hacker seized almost 3,000 ETH and returned the ETH to Curve’s deployer address.

Amid fears of liquidation surrounding Egorov’s loans, Jun Du, the co-founder of Huobi,

purchased 10 million CRV for $4 million from Curve’s CEO. Additionally,

Aave Chan founder Marc Zeller proposed the Aave Treasury buy $2 million worth

of CRV tokens from the protocol. According to the proposal, the acquisition would signal that DeFi players support the health of the ecosystem.

Cross-chain lending platform Abracadabra Money also proposed

increasing the interest rate on its outstanding loans to manage risks associated with its exposure to CRV.

The return of funds: Curve, Metronome and Alchemix offering 10% bug bounty; hacker takes it

On Aug. 3, Curve, Metronome and Alchemix jointly announced an initiative to

recover stolen funds from the recent exploits of Curve’s pools. The protocols

offered a 10% bounty of the seized funds as a reward, urging those responsible

for the exploit to step forward and return the remaining 90%, which would bring the bounty close to $7 million.

The offer came with a guarantee of no further legal actions or involvement of

law enforcement. “We want to resolve this in a civilized manner,” the protocols wrote to the hacker.

In less than 24 hours, on Aug. 4, the original attacker for the

multimillion-dollar exploit apparently accepted the bounty offer

and began returning funds stolen a few days earlier. The hacker sent

back 4,820.55 Alchemix ETH (alETH), worth approximately $8,889,118, to the Alchemix Finance team, as well as 1 ETH, approximately $1,844, to the Curve Finance team.

The attacker also posted a message that seems to have

been directed at the Alchemix and Curve teams, claiming

to be willing to return the funds but only because the person

didn’t want to “ruin” the projects involved and not because the attacker was caught.

A total of $8.9 million worth of cryptocurrency has been returned at the time of writing, equal to roughly 15% of the total amount drained.