Expert: Curve hack a minor incident compared with SEC’s actions

On July 30, attackers exploiting a vulnerability in the Vyper compiler hacked a number of liquidity pools on the decentralized exchange Curve Finance and stole more than $50 million in various tokens. Because of the bug, more than 450 pools were at risk at the moment of the incident. ForkLog discussed the case with experts.

What happened?

According to the Llama Risk report, the cause of the Curve Finance hack was a faulty reentrancy lock in certain versions of the Vyper compiler.

«Curve contracts became vulnerable when calling the raw_call function to send native tokens. Each affected Curve pool used one of the problematic Vyper versions and contained pairs with native ETH. Pools in the WETH pair were not affected», — noted the specialists.

As explained to ForkLog by representatives of the analytics firm Crystal Blockchain, the vulnerability allowed attackers to create smart contracts that could perform transactions without user authorization.

The incident affected projects Alchemix, JPEG’d, MetronomeDAO, Ellipsis and deBridge.

The most affected pools:

• pETH/ETH — 6,106.65 WETH (~$11 million);
• msETH/ETH — 866.55 WETH (~$1.6 million) and 959.71 msETH (~$1.8 million);
• alETH/ETH — 7,258.7 WETH (~$13.6 million) and 4,821.55 alETH (~$9 million);
• CRV/ETH — 7,193,401.77 CRV (~$5.1 million at the time of the incident), 7,680.49 WETH (~$14.2 million) and 2,879.65 ETH (~$5.4 million).

The Arbitrum Tri-Crypto pool could also potentially have been affected. Auditors and Vyper developers could not confirm the existence of the exploit, but Curve advised liquidity providers to exit it as a precaution.

Despite the impossibility of stopping the pool or affecting users’ funds through emergency DAO measures, the issuance of additional CRV was frozen.

Tweets that aggravated the incident

In the first minutes after the hack, analyses from BlockSec and PeckShieldAlert posted on X (formerly Twitter) excerpts of the Vyper compiler’s open-source code with details of the vulnerability. Such actions drew sharp condemnation from the community, after which the original posts were removed.

According to HAPI Labs’ head of analytics and research, Mark Leczyuk, the BlockSec and PeckShield tweets gave external hackers the opportunity to “join the hack” and worsen the situation.

«During the incident, such actions were absolutely unacceptable, especially for cheap PR. They should report attack details to the project directly or contact those who are still running the vulnerable compiler version», — explained him.

Leczyuk added that pools were attacked by several independent hackers. Among them were some “white hat” hackers, through whom the project managed to recover part of the stolen funds. In particular, 2,879.65 ETH (~$5.4 million) stolen from the CRV/ETH pool by c0ffeebabe.eth has already been returned to Curve Finance.

After the wave of criticism, BlockSec representatives replied that when posting the tweet with attack details they were guided by the need to warn the community as quickly as possible, since the Curve Finance team was not reachable.

Impact on the DeFi sector

At the time of the incident, more than 450 liquidity pools used vulnerable Vyper compiler versions, so the number of victims and losses could be much larger, according to HAPI Labs experts. Such a scenario, they say, could have triggered unprecedented panic and a liquidity drain across the entire DeFi space.

The issue with the compiler is now resolved. Developers noted that the attacker had to “dig deeply” into the version history to locate this not-so-obvious flaw.

DeFi researcher going by the nickname Ignas, in a comment to The Block, stated that the Curve Finance incident has “shaken confidence in DeFi.”

«If a protocol that worked fine for three years suffers from an exploit, the question arises how safe are other “blue chips” like Aave, Compound or even Uniswap. There are huge risks in the event of a hack of Uniswap v4 with its monolithic smart-contract design, as all assets would be instantly vulnerable», — he said.

Ignas also noted that several protocols whose synthetic assets depend on CRV liquidity could be in debt to users. In particular, he mentioned liquidations at Aave, Frax and Abracadabra totaling $100 million after the attack.

In his view, the incident could slow institutional adoption of DeFi.

Meanwhile, MakerDAO co-founder Rune Christensen thinks that the Curve Finance exploit will be the “last crash” before a new upswing in the crypto market.

He agrees with Nostra founder David Garay: agrees.

«This could also be a turning point when lending protocols finally begin proactively monitoring liquidity in the network for every embedded type of collateral».

Meanwhile, Indefibank CEO Sergey Mendeleev, in a ForkLog comment, pointed to the minor impact of the hack on the DeFi market.

«Curve Finance is a large protocol that covers all losses, and users ultimately won’t notice anything. I would not pay attention to this minor incident at all. The actions of the U.S. Securities and Exchange Commission and European regulators pose a significantly greater threat to the crypto market and DeFi in particular», — said the expert.

Earlier, Forklog reported that the wallet belonging to Tron co-founder Justin Sun transferred 2 million USDT from the Aave network and sent them to Curve Finance’s DeFi protocol head Mikhail Egorov in exchange for 5 million CRV (~$2.9 million at the time of writing).

As noted, during July crypto traders lost digital assets to a total of $303 million due to exploits and hacker attacks.