On Sunday 30 July, five separate cyber attacks were carried out on the decentralized Curve Finance protocol, with damage from the crypto hack estimated at $70 million.
The attackers exploited a vulnerability in versions 0.2.15, 0.2.16 and 0.3.0 of the Vyper programming language.
Experts warn about the risk of contagion in many of DeFi’s applications.
Below is an analysis of the incident.
$70 million crypto hack at Curve Finance
On Sunday 30 July from 3:30 PM onwards the ruckus broke out on the decentralized platform Curve Finance, with several hack attacks draining funds worth about $70 million.
Alerting the project community was Curve’s official Twitter profile, which publicized the incident.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
Other pools are safe. https://t.co/eWy2d3cDDj
— Curve Finance (@CurveFinance) July 30, 2023
In detail, the first hack affected JPEG’d pETH-ETH pool worth $11 million, followed by four other attacks on ALchemix’s alETH-ETH, Pendle’s pETH-ETH, Metronome’s msETH-ETH and CRV-ETH pools.
According to the analysis, some of these attacks were carried out by white-hack actors, who took funds from the liquidity pools before other malicious actors did so, with the intention of returning the funds as soon as the situation is resolved.
Hence, in total, the net losses amount to around $50 million, with concerns that the incident could affect the entire DeFi ecosystem.
This is because those responsible for the hack on Curve Finance, which manages more than 200 pools totaling $3 billion, exploited a vulnerability in the Vyper programming language whose versions 0.2.15, 0.2.16, and 0.3.0 are affected by bugs.
According to the initial investigation, some versions of the Vyper compiler do not properly implement re-entry protection, which prevents simultaneous execution of multiple functions by blocking a contract and allowing assets to be drained from pools.
Currently, all DeFi projects using those versions of Vyper are at risk of hacks.
Now many community users are blaming the Alchemix, JPEG’d and Curve team members (actively involved in the maintenance of the Vyper codebase) as primarily responsible for the bug.
However, Dr. Laurence Day, founder of Wildcat Finance, pointed out that the problem is about a lack of a priori controls and that there is no need to point fingers at each other.
These are his words:
“Compilers are prepackaged with a whole set of behavioral assumptions that the vast majority of us simply take for granted because we assume that people smarter than us have done the legwork closest to the assembly. It is very easy to point fingers and report failures rather than to check these things.”
It is very interesting to note how the issue of MEV bots also became part of this story: a MEV researcher was able to frontrun the first hack to the pETH-ETH pool by going and stealing from the same cyber thief.
pETH belonging to @JPEGd_69 has just been exploited for 11 million USD with a Curve read only reentrancy.
An attacker was frontrunned by a MEV-bot: https://t.co/iogcaPVLcu
A screenshot from our monitoring system: pic.twitter.com/JQheXW8Kvj
— Decurity (@DecurityHQ) July 30, 2023
The negative effects on the CRV token and the rest of the market
Obviously, the series of hack attacks that occurred because of Vyper’s re-entry vulnerability can only have damaged the Curve Finance platform both economically and reputational-wise.
According to DefiLlama‘s data, the protocol’s TVL dropped in one day from $3.26 billion to the current $1.72 billion, a 46% downsizing.
In fact, many parties, frightened by the danger of contagion on other liquidity pools, preferred to withdraw their assets while waiting for the storm to subside, causing Curve Finance to lose a large chunk of liquidity.
The CRV protocol governance token was also affected, with prices plummeting 14.25% in the day yesterday and a loss of $60 million in marketcap.
Trading volumes of 75 million CRV were recorded on Binance, up 35 times the previous day’s volumes.
At the moment prices seem to have stabilized around $0.64, with possible recovery in the coming hours given and considering the oversold level in the RSI indicator.
The same situation also applies to the Achemix ALCX token, which lost 6.7% during yesterday’s disasters, worsening an already gruesome price action.
The token currently trades at a price of $13.06, nowhere near its all-time high set at $458 and with a bearish pattern that has persisted for about 1.5 years.
The cryptocurrency has a marketcap of $24.8 million and an infinite max supply.
In addition to the purely economic damage triggered by the hack attacks on Curve Finance, it is evident how incident in the DeFi sphere has damaged the reputation of decentralized protocols even more, which have increasingly fallen victim to code bugs or organized exploits.
In 2022 alone, $3.9 billion was stolen in the decentralized finance sector, with estimated damages for thousands of users who will never see their assets again and cannot revert to any liquidation process, typical of centralized company failures such as occurred with FTX or Mt. GOX.