What happened during the Curve Finance hack?

On June 30th, a hacker targeted Curve Finance, a decentralized exchange, and exploited a vulnerability, resulting in an estimated loss of $52 million.

What critical vulnerability was exposed in the DeFi ecosystem?

The breach exposed a critical vulnerability in the DeFi ecosystem that affects smart contracts built with specific versions (0.2.15, 0.2.16, and 0.3.0) of the Vyper programming language due to an old compiler vulnerability.

What is Vyper and how is it used in crypto projects?

Vyper is a programming language used in various crypto projects, but it is a minority language in the Ethereum Virtual Machine (EVM) ecosystem.

What should developers of Vyper-based dApps do?

Developers of Vyper-based dApps are urgently advised to address the vulnerability in their contracts to prevent malfunctioning reentrancy locks.

How did the exploit affect Vyper smart contracts?

Vyper smart contracts were vulnerable if they met two conditions: built using Vyper version 0.2.15 and lacking appropriate safeguards for adding and removing liquidity.

What caused further damage in the exploit?

The premature disclosure of the bug's details on Twitter exacerbated the damage by potentially enabling further attacks.

How did other protocols and platforms respond to the exploit?

Other protocols and platforms based on the Curve protocol, like Ellipsis Finance, reported similar exploit incidents, and some DeFi projects, such as Auxo DAO and Convex Finance, removed liquidity to mitigate risks.

What impact did the exploit have on Convex Finance?

Convex Finance, a yield-farming fund, experienced a significant drop in liquidity since the exploit as it offers yield optimization strategy for Curve's CRV tokens.

Advisory

Curve Finance Exploited via Vyper language vulnerability can cascade accross DeFi Industry

published: July 31, 2023

Take action: If you are in the crypto space and developing smart contracts, it's wise to review whether you have smart contracts written in Vyper versions 0.2.15, 0.2.16, and 0.3.0 or if you are using the Curve protocol. If you are, lock them down and review whether you can replace them with non-vulnerable ones.

Learn More

A hacker has targeted the Curve Finance, a decentralized exchange for stablecoin swaps on a Sunday 30th June and managed to exploit the vulnerability, resulting in an estimated loss of $52 million.

However, beyond the damage done to Curve Finance itself, the breach also exposed a critical vulnerability in the wider Decentralized Finance (DeFi) ecosystem. This vulnerability specifically affects smart contracts that were built using certain versions of the programming language Vyper because of a vulnerability in an old compiler in the programming language Vyper.

Vyper is a language that is used in various crypto projects. The Vyper team revealed that contracts developed with Vyper versions 0.2.15, 0.2.16, and 0.3.0 are currently "vulnerable to malfunctioning reentrancy locks." They urgently advised developers of other Vyper-based decentralized applications (dApps) to address this issue.

The vulnerability was not present in the protocols or dApps' code but rather in the Vyper language itself. Vyper, while being a minority language in the Ethereum Virtual Machine (EVM) ecosystem, has been in use for a significant period.

Security researchers clarify Vyper smart contracts may be vulnerable if they meet two conditions:

first, the contract must be built using Vyper version 0.2.15,
second, appropriate safeguards for adding and removing liquidity were not implemented in the code.

An additional factor that exacerbated the damage caused by the exploit was the premature disclosure of the bug's details on Twitter before it had been mitigated. This led to concerns in the Ethereum security community about the need for more discreet communication of bugs to prevent their misuse in further attacks.

In the aftermath of the Curve Finance exploit, other protocols and platforms based on the Curve protocol on different chains have also reported similar exploit incidents. For instance, Ellipsis Finance, an authorized Curve fork, reported that a "small number of stablepools with BNB" were exploited. Additionally, the Tricrypto pool, composed of USDT, WBTC, and ETH, on Curve's deployment on the layer-2 solution Arbitrum, was "potentially affected" but not exploited yet.

In response to the risks posed by the exploit, some DeFi projects, such as Auxo DAO and Convex Finance, have decided to remove liquidity from Curve and Convex Finance pools to mitigate contagion risks. Convex Finance, in particular, offers yield optimization strategy for Curve's CRV tokens and has seen a significant drop in liquidity since the exploit.

Curve Finance Exploited via Vyper language vulnerability can cascade accross DeFi Industry