Massive Security Breach Plagues Curve Finance: Exploit Costs $47 Million
On July 30, the DeFi sector faced a jolting revelation. Curve Finance, a predominant name in the industry, reported a severe exploit. The breach originated from various stable pools, all powered by Vyper, resulting in a significant loss of over $47 million. Investigations revealed vulnerabilities in the 0.2.15, 0.2.16, and 0.3.0 versions of Vyper that led to the mishap.
The Unexpected Vulnerability Is Catastrophic for Curve Finance
According to reports malfunctioning reentrancy locks in these Vyper versions triggered the exploit. Vyper made this fact public, urging projects dependent on these versions to get in touch for damage control. Ancilia, a renowned security firm, shared a detailed analysis of the situation. The firm revealed that 136 contracts with reentrant protection used Vyper 0.2.15. Meanwhile, 98 contracts were associated with Vyper 0.2.16, and 226 utilized Vyper 0.3.0.
The crux of the problem resided within the Vyper compiler Specific versions failed to implement the reentrancy guard properly. This component is essential to prevent the simultaneous execution of multiple functions, thereby securing a contract. Failure to implement this guard opens up the possibility of reentrancy attacks that can drain all funds from a contract. It proved to be the unfortunate fate for Curve Finance.
The Genesis of Vyper
Vyper is not an obscure name within the crypto universe. It’s an eminent contract-oriented programming language that targets the Ethereum Virtual Machine(EVM). Its uncanny resemblance to Python renders it an ideal stepping stone for Python developers venturing into the Web3 realm.
The impact of the exploit wasn’t confined to Curve Finance. The shockwave reverberated through several decentralized finance projects. Ellipsis, a decentralized exchange, reported an exploit on several of its BNB stable pools owing to an outdated Vyper compiler.
Other significant losses included Alchemix’s alETH-ETH pool witnessing a $13.6 million outflow, JPEGd’s pETH-ETH pool losing $11.4 million, and Metronome’s sETH-ETH pool being reduced by $1.6 million. Adding salt to the wound, Michael Egorov, Curve Finance CEO, confirmed a loss of 32 million CRV tokens. This amounted to over $22 million drained from the swap pool.
The Dallas Buyers Club actor has served as creative director before, for premium liquor company Gruppo Campari’s Wild Turkey Bourbon. He signed a multiyear contract in 2016 with Wild Turkey for an estimated $3.5 million to $4.5 million dollars per year to be the face of the whiskey brand.
DeFi Ecosystem in Turmoil
The ripple effects of the exploit didn’t stop there. The breach induced panic throughout the DeFi Ecosystem, spurring a surge of transactions across pools. Simultaneously, it kickstarted a rescue mission by white hats.
This unfortunate event is not an isolated incident for Curve Finance. The protocol, famed for enabling the decentralized exchange of stablecoins on Ethereum, has been a recurring target.
Just days prior, Conic Finance, another extension of the Curve ecosystem, fell victim to a $3.26 million exploit in Ether. The stolen amount was swiftly transferred to a new Ethereum address in a single transaction.