The DeFi ecosystem suffers yet another exploit shaking the grounds of several crypto-related firms.
The cryptocurrency world was rattled on July 30th when Curve Finance, a decentralized finance (DeFi) protocol, experienced an exploit in its stable pools, resulting in losses exceeding $47 million.
The incident was attributed to the reentrancy lock malfunction of Vyper's 0.2.15, 0.2.16, and 0.3.0 versions.
Did you know?
Want to get smarter & wealthier with crypto?
Subscribe - We publish new crypto explainer videos every week!
What is a Crypto Mining Pool? Is it Worth it? (Beginner-Friendly)
Curve Finance utilizes Vyper, a contract-oriented, Python-like language mainly targeted toward the Ethereum Virtual Machine (EVM). Vyper's similarities to Python have made it a preferred choice for Python developers entering the Web3 landscape.
According to Vyper, the issue lies in specific versions of their compiler failing to implement a reentrancy guard. This security feature is crucial in preventing reentrancy attacks, which can empty a contract's funds by running several functions concurrently. Vyper urged any projects using the implicated versions to contact the company immediately.
The investigation is ongoing but any project relying on these versions should immediately reach out to us.
Ancilia, a prominent security firm, analyzed the impacted contracts. Their findings reveal that 136 contracts utilized Vyper 0.2.15 with reentrant protection, with another 98 and 226 contracts using versions 0.2.16 and 0.3.0, respectively.
The cyber heist had a broad impact on the DeFi ecosystem. The decentralized exchange Ellipsis acknowledged that several stable pools were exploited due to an old Vyper compiler. Alchemix's alETH-ETH observed an outflow of $13.6 million, while the JPEGd’s pETH-ETH and Metronome's sETH-ETH pools witnessed exploitations amounting to $11.4 million and $1.6 million, respectively.
Curve Finance CEO Michael Egorov subsequently verified that over 32 million CRV tokens, equivalent to over $22 million, had been siphoned from the swap pool.
The fallout of the exploit rippled across the DeFi sector, prompting a flurry of transactions across pools and instigating a damage control initiative from white hats. Curve Finance’s utility token, Curve DAO (CRV), saw a drop of over 12% in response to the incident.
The recent incident adds to a growing list of attacks on DeFi protocols.
A report published by the Web3 portfolio app De.Fi highlights the grim reality, with over $204 million being siphoned off through DeFi scams and hacks in the second quarter of 2023 alone. The unfortunate events emphasize the need for more robust security measures within the crypto space.