Massive Exploitation: Over $47M Drained from Curve Finance Pools Amid Reentrancy Vulnerability

On July 30, a significant security breach occurred on several stable pools on Curve Finance that employed Vyper, leading to staggering losses of over $47 million.

According to Vyper, their versions 0.2.15, 0.2.16, and 0.3.0 were found to be susceptible to malfunctioning reentrancy locks.

Vyper promptly responded to the incident, stating that an investigation into the matter was underway, and any projects relying on the aforementioned versions should urgently contact them.

Security firm Ancilia conducted an analysis of the affected contracts, revealing that 136 contracts utilized Vyper 0.2.15 with reentrant protection, 98 contracts employed Vyper 0.2.16, and 226 contracts utilized Vyper 0.3.0.

The preliminary findings indicate that certain versions of the Vyper compiler failed to correctly implement the reentrancy guard, which is designed to prevent multiple functions from executing simultaneously by locking a contract, according to Cointelegraph. Exploiting this vulnerability through reentrancy attacks enabled unauthorized access to and potential draining of funds from the contracts.

It is worth noting that Vyper is a contract-oriented programming language that resembles Python and targets the Ethereum Virtual Machine (EVM). Due to its similarities with Python, Vyper serves as an entry point for Python developers venturing into Web3 and smart contract development.

The attack significantly impacted several decentralized finance (DeFi) projects. Decentralized exchange Ellipsis reported that a few stable pools with BNB were exploited using an outdated Vyper compiler. Alchemix's alETH-ETH pool suffered a massive outflow of $13.6 million, while JPEGd's pETH-ETH pool saw $11.4 million being exploited.

Additionally, Metronome's sETH-ETH pool experienced a loss of $1.6 million. Furthermore, Michael Egorov, the CEO of Curve Finance, confirmed in a Telegram channel that 32 million CRV tokens, valued at over $22 million, were drained from the swap pool.

Nevertheless, as a result, the utility token of Curve Finance, experienced a decline of over 5% in its value.

Fortunately, according to Curve Finance, which operates as a DeFi protocol that facilitates the decentralized exchange of stablecoins on the Ethereum blockchain, the attack did not affect crvUSD contracts and any pools associated with it.

Despite this latest incident, the protocol has been the target of several attacks within its ecosystem. In fact, the DeFi space has experienced a surge in attacks over the past months. A report by De.Fi, a Web3 portfolio app, revealed that during the second quarter of 2023 alone, DeFi hacks and scams collectively swindled more than $204 million. These incidents underscore the growing security concerns and vulnerabilities within the DeFi sector.

The incident highlights the critical importance of stringent security measures and careful scrutiny of smart contracts in the DeFi space. As the investigation continues, developers and projects are urged to remain vigilant and proactively address potential vulnerabilities to prevent similar incidents in the future.