Curve Finance Liquidity Pools Exploited, $47M Lost
- Liquidity pools on Curve Finance were exploited, and close to $47 million was drained from the DeFi protocol.
- A vulnerability in the 0.2.15, 0.2.16, and 0.3.0 versions of the Vyper programming language led to the hacks.
- Crypto exchange Binance’s BNB Smart Chain suffered a similar exploit, and attackers drained $73K.
- In August 2022, Curve Finance suffered another attack that led to a loss of $570,000.
Leading decentralized finance (DeFi) platform Curve Finance has been exploited, and according to blockchain security platform BlockSec, close to $47 million has been exploited from the platform. A vulnerability in the Vyper programming language has been cited as the reason for the hacks. Interestingly, crypto exchange Binance’s BNB Smart Chain has also faced a similar exploit.
According to Vyper, the 0.2.15, 0.2.16, and 0.3.0 versions of the programming language are vulnerable to malfunctioning reentrancy locks. All the projects that are operating using this programming language have been asked to remain careful and reach out to the Vyper team, including Curve Finance.
“The investigation is ongoing, but any project relying on these versions should immediately reach out to us,” Vyper stated via social media platform X (formerly known as Twitter). Moreover, according to analysis by security firm Ancilia, 136 contracts used Vyper 0.2.15 with reentrant protection, 98 contracts used Vyper 0.2.16, and 226 contracts used Vyper 0.3.0.
Additionally, Curve Finance also confirmed the exploit via its official X account, stating that a number of stablepools using Vyper 0.2.15, including alETH/msETH/pETHalETH/msETH/pETH have been exploited. Other pools, including crvUSD contracts and any pools with them, are not affected.
As per the initial analysis done by many people in the crypto space, some versions of the Vyper compiler do not correctly implement the reentrancy guard. As a result, the feature that prevents multiple functions from being executed at the same time by locking a contract is not working. Moreover, reentrancy attacks can potentially drain all funds from a contract. This is the basic reason for the exploit on Curve Finance.
Along with Curve Finance, Binance’s BNB Smart Chain also suffered an exploit, and the attacker made away with more than $73,000 in cryptocurrencies. Attacks on Ethereum have already surpassed $41 million.
Interestingly, back in August 2022, Curve Finance suffered another attack that led to a loss of $570,000. However, Binance helped the DeFi platform recover close to $450k after the hacker tried to liquidate the assets. Curve revealed that the problem could possibly have been a result of a hack on the domain name server (DNS) provider ‘iwantmyname.’
A crypto journalist with over 3 years of experience in DeFi, NFT, metaverse, etc. Parth has worked with major media outlets in the crypto and finance world and has gained experience and expertise in crypto culture after surviving bear and bull markets over the years.
