On July 30, attackers exploited a vulnerability in the Vyper compiler to hack a number of liquidity pools on the Curve Finance decentralized exchange and steal more than $50 million in various tokens. Due to the presence of a bug, more than 450 pools were at risk at the time of the incident. ForkLog discussed the case with experts.
What’s happened?
According to report Llama Risk, the Curve Finance hack was caused by a faulty reentrancy blocker in certain versions of the Vyper compiler.
“Curve contracts became vulnerable when calling the raw_call function to send native tokens. Each affected Curve pool used one of the problematic versions of Vyper and contained pairs with native ETH. The pools paired with WETH were not affected,” the experts noted.
Data: X.
As representatives of the analytical company Crystal Blockchain explained to ForkLog, the vulnerability allowed attackers to create smart contracts that could make transactions without user authorization.
Incident affected projects Alchemix, JPEG’d, MetronomeDAO, Ellipsis и deBridge.
The following pools were most affected:
pETH/ETH, the damage amounted to 6106.65 WETH (~$11 million); msETH/ETH – 866.55 WETH (~$1.6M) and 959.71 msETH (~$1.8M) alETH/ETH – 7258.7 WETH (~$13.6M) and 4821.55 alETH (~$9M) CRV/ETH – 7,193,401.77 CRV (~$5.1M at the time of the incident), 7680.49 WETH (~$14.2M) and 2879.65 ETH (~$5.4M).
The Arbitrum Tri-Crypto pool could also potentially be affected. Auditors and Vyper developers were unable to confirm the existence of the exploit, but the Curve team advised liquidity providers to exit it as a precautionary measure.
Despite the impossibility of emergency DAO measures to stop the pool or in any way affect the funds of users, it was possible to freeze the issue of additional CRVs.
Tweets that made the incident worse
In the first minutes after the hack, analysts from BlockSec and PeckShieldAlert published excerpts from the open source code of the Vyper compiler on the X social network (formerly Twitter), indicating the details of the vulnerability. Such actions were strongly condemned by the community, after which the original posts were deleted.
Data: X.
According to Mark Letsiuk, head of analytics and research at HAPI Labs, the BlockSec and PeckShield tweets gave third-party hackers the opportunity to “join in the hack” and made things worse.
“While the incident is going on, it is absolutely impossible to do this, especially for the sake of cheap PR. They should report the details of the attack to the project directly or contact those who are still working on the vulnerable version of the compiler,” he explained.
Letsyuk added that the pools were attacked by several independent hackers. However, among them were “white” hackers, thanks to which the project managed to return part of the stolen funds. In particular, 2879.65 ETH (~$5.4 million) stolen by c0ffeebabe.eth from the CRV/ETH pool has already been returned to the Curve Finance team.
After a wave of criticism, representatives of BlockSec answeredthat when publishing a tweet with details of the attack, they were guided by the need to warn the community as soon as possible, since the Curve Finance team was not in touch.
Impact of DeFi-sector
At the time of the incident over 450 liquidity pools used versions of the Vyper compiler with a vulnerability, so the number of victims and the amount of damage could be many times greater, HAPI Labs experts said. Such a situation, they said, would potentially cause unprecedented panic and a decrease in liquidity throughout the DeFi segment.
Now there is a problem with the compiler resolved. The developers specified that the attacker had to “dig deep” in the version history to find this not the most obvious problem.
DeFi researcher Ignas comments The Block said the Curve Finance incident had “undermined confidence in decentralized finance.”
“If a protocol that has worked without problems for three years suffers from an exploit, the question arises how secure other blue chips like Aave, Compound or even Uniswap are. There are huge risks in the event of a Uniswap v4 hack with its monolithic smart contract design, as all assets would be instantly vulnerable,” he said.
Ignas also noted that a number of protocols whose synthetic assets depend on the liquidity of the CRV token may find themselves in debt to users. In particular, he mentioned the liquidation of Aave, Frax and Abracadabra in the amount of $100 million after the attack.
In his opinion, the incident could slow down the institutional adoption of DeFi.
However, MakerDAO co-founder Rune Christensen thinksthat the Curve Finance exploit will be the “final crash” before the new growth of the cryptocurrency market.
C nim agree Nostra founder David Garay:
“This could also be a turning point when lending protocols finally begin proactive monitoring of on-chain liquidity for every embedded type of collateral.”
In turn, Indefibank CEO Sergey Mendeleev, in a comment to ForkLog, pointed out the insignificance of hacking for the decentralized finance market.
“Curve Finance is a big protocol that makes up for all the losses and users won’t notice anything in the end. I wouldn’t pay any attention to this petty incident at all. The actions of the SEC and European regulators pose a significantly greater threat to the crypto market and DeFi in particular,” the expert said.
Forklog previously reported that a wallet owned by Tron co-founder Justin Sun withdrew 2 million USDT from the Aave network and sent it to the head of the Curve Finance DeFi protocol, Mikhail Egorov, in exchange for 5 million CRV (~$2.9 million at the exchange rate at the time of writing).
Recall that during July, cryptocurrency traders lost $303 million worth of digital assets as a result of exploits and hacker attacks.
Subscribe to ForkLog on social networks
Found a mistake in the text? Select it and press CTRL+ENTER
ForkLog Newsletters: Keep your finger on the pulse of the bitcoin industry!
2023-08-01 16:25:44
#Curve #hack #minor #incident #compared #actions #SEC #ForkLog
