Decentralized Finance (DeFi) Protocol Curve Finance Faces $52 Million Attack Due to Vyper Vulnerability
In a recent incident, Curve Finance, a prominent DeFi protocol, fell victim to a devastating attack resulting in a staggering loss of $52 million from its stablecoin pool alETH/msETH/pETH. The attack’s root cause was traced back to a vulnerability found in specific versions of Vyper, an Ethereum Virtual Machine (EVM) contract programming language.
The exploit exploited a recursive lock failure within Vyper, specifically affecting versions 0.2.15, 0.2.16, and 0.3.0 of the language. This critical vulnerability prompted various DeFi protocols to undergo stress tests as security agencies vigilantly monitored the situation.
The attackers targeted multiple liquidity pools on Curve Finance, including aETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH, successfully draining these pools entirely by leveraging the reentrancy lock flaw. However, it was confirmed that all other remaining pools on Curve Finance remained secure and unaffected by the attack.
In response to the incident, Curve Finance took swift action to address the situation. The early deployer of the “MEV Bot,” identified as c0ffeebabe.eth, commendably returned 2,879.54 ETH, equivalent to approximately $5.4 million, back to the Curve Finance deployer. This proactive gesture aimed to mitigate the damages caused by the exploit and demonstrated a commitment to resolving the crisis.
The DeFi community was prompted into discussions concerning the safety and security of smart contracts, as Vyper’s official documentation was found to recommend the wrong version for installation, inadvertently contributing to the vulnerability exploited by the attackers.
Another project impacted by the attack was Alchemix, which promptly responded to a notice from Curve Finance regarding the alETH/ETH pool’s vulnerability due to a Vyper error. Alchemix swiftly initiated a process to remove AMO (Alchemix’s proprietary token) from the Curve pool through the AMO contract’s control mobility. Importantly, the Alchemix smart contract itself remained uncompromised, ensuring the safety of users’ funds.
Nevertheless, during the process of removing the remaining liquidity controlled by AMO, the alETH/ETH Curve pool incurred a loss of approximately 5,000 ETH. Consequently, Alchemix issued a warning to its users, advising them to refrain from providing liquidity in the alETH/ETH Curve pool. While providing liquidity for alETH elsewhere might be technically secure, users were urged to exercise caution, as attackers could exploit liquidity for their benefit.
The incident underscores the importance of rigorous security audits and the necessity for continuous monitoring and updates in the rapidly evolving DeFi landscape. Both developers and users are urged to remain vigilant and take necessary precautions to protect against potential exploits in DeFi protocols.
Responding to the incident, the developers behind Vyper have declared the recursive locks in versions 0.2.15, 0.2.16, and 0.3.0 as invalid. This proactive measure aims to prevent further incidents stemming from the same vulnerability in other protocols reliant on Vyper for their smart contracts.
Furthermore, as reported by Coincu, Aave has urgently motioned to deactivate CRV borrowing on Ethereum. This move is intended to safeguard traders from abusing Curve flaws and engaging in malicious shorting of borrowed CRV, potentially leading to repeated liquidations.
Leave a comment