On July 30, an unknown attacker targeted Curve Finance’s stablecoin pools DEX Curve Finance and withdrew about $47 million, exploiting a vulnerability in the Vyper code.
“Several stable pools (alETH/msETH/pETH), using Vyper 0.2.15, were hacked due to a flaw in the reentrancy mechanism. We are assessing the situation and will inform the community as events unfold. Other pools are safe,” Curve representatives wrote.
Vyper is a contract-oriented programming language based on Python, designed for the Ethereum Virtual Machine. The developers acknowledged that the reentrancy exploit affects versions 0.2.15, 0.2.16 and 0.3.0.
Analysts at Ancilia say that about 460 protocols used the vulnerable software.
According to Curve’s investigation, some code compilers mis-implemented the reentrancy protection, which prevented the simultaneous execution of multiple functions by locking the contract.
A number of DeFi projects on Curve were affected, including JPEG’d, MetronomeDAO, deBridge and Ellipsis. The largest loss was the alETH-ETH Alchemix pool — $13.6 million.
BlockSec researchers also reported that a similar exploit affected three projects on BNB Smart Chain. In total, the attacker withdrew from protocols on the network about $73,000.
A white-hat hacker and operator of the MEV bot, under the handle c0ffebabe.eth, managed to custody the 2,879 ETH stolen from the pools, worth about $5.4 million, after asking affiliated protocols to contact him to recover the assets. Later he transferred another 1,000 ETH (~$1.8 million) to a cold wallet.
According to DeFi Llama, total value locked (TVL) of Curve Finance over the 24 hours fell by nearly half — from $3.25 billion to $1.73 billion.
Curve DAO Token (CRV), the project’s utility token, dropped 11.5% in 24 hours, according to CoinGecko. At the time of writing, the asset was trading at $0.6492.
South Korea’s largest exchange Upbit announced that, due to the attack, CRV volatility increased, and the platform suspended all deposits and withdrawals for the token.
Earlier in July, the hacker withdrew $1.5 million from the DeFi protocol Rodeo Finance through oracle manipulation.
The attacker then targeted the Alphapo project. Losses from the breach totaling about $60 million.
For the first half of 2023, the crypto industry suffered 395 hacks, losing about $479.4 million.