Decentralized finance (DeFi) platform Curve Finance had some of its stablepools exploited for $41 million in crypto due to a vulnerability in some versions of Vyper, the platform said via Twitter (now X) on 30 July.
In a separate announcement, the team behind Vyper — a third-party programming language for Ethereum smart contracts — warned the community that versions 0.2.15, 0.2.16, and 0.3.0 did not correctly implement a guard that prevents multiple functions from being executed, and as such left some pools vulnerable to reentrancy attacks. An analysis from security firm Ancilia suggests that over 450 contracts were compiled using the affected versions of Vyper.
While it remains unclear how much was lost due to the attack on the affected pools, a member of Curve’s team revealed on Discord that “all affected pools have been drained or white hacked, and the team is assessing the situation with affected teams”. The CEO of Curve, Michael Egorov, confirmed via Telegram that close to $22 million worth of CRV tokens were drained from swap pools. Security firm BlockSec, however, has estimated that the overall asset outflow connected to the security incident was closer to $41 million.
Curve Finance was not the only DeFi platform to be affected by the security vulnerability. Decentralized exchange Ellipsis saw a small number of stablepools with BNB exploited using the Vyper vulnerability. Alchemix’s alETH-ETH, JPEGd’s pETH-ETH, and Metronome’s sETH-ETH pools also saw significant outflows. Security firm BlockSec also reported that the BNB Smart Chain (BSC) also suffered a copycat attack using the Vyper vulnerability, with the attacker stealing close to $73,000 worth of crypto.
Ever since news of the exploit broke out, whitehat hackers have been attempting to disrupt a number of exploit attempts, as well as recover as much of the lost funds as possible. A whitehat hacker known as “c0ffebabe.eth” was able to drain some funds for safekeeping, and later returned close to 2,000 ETH (over $5 million) to the Curve platform. She also moved another 1,000 ETH to a newly-created wallet, presumably a cold wallet for safekeeping.