The DeFi ecosystem has been dealt a significant blow following a security exploit that impacted both the Curve Finance and the BNB Smart Chain (BSC) platforms.
Curve Finance, a prominent decentralized stablecoin exchange reported a staggering loss of $41 million in crypto assets on Sunday, July 30. On the other hand, BNB Smart Chain reported that about $73,000 was siphoned off in a series of similar copycat attacks.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
Other pools are safe. https://t.co/eWy2d3cDDj
— Curve Finance (@CurveFinance) July 30, 2023
These heinous attacks were possible due to a loophole in the Vyper programming language, a widely used language for Web3 projects. According to persons familiar with the issue, the vulnerability, designed to cater to the Ethereum Virtual Machine (EVM), may extend its destructive reach to other protocols utilizing afflicted versions of Vyper.
The vulnerability was traced to a malfunctioning reentrancy lock on Vyper versions 0.2.15, 0.2.16, and 0.3.0. This technical glitch, exploited by nefarious actors, affected numerous DeFi pools, leading to a massive asset drain.
Curve Finance and DeFi platforms under fire
Among the victims, Curve Finance took the brunt of the hit. Currently, the third-largest decentralized financial exchange (DEX) by 7-day trading volume, Curve Finance lost a whopping $41 million, according to smart contract auditing firm BlockSec.
— BlockSec (@BlockSecTeam) July 30, 2023
Following the announcement of the breach, the platform’s native token, CRV, plummeted by over 13% in just 24 hours. Its trading volume swelled almost 15-fold, signalling panic among Curve Finance users.
But the security flaw didn’t stop at Curve Finance. Other DeFi platforms such as Ellipsis, Alchemix, JPEGd, and Metronome also fell prey to the exploit. These platforms experienced significant outflows from their respective pools, illustrating the wide-reaching effects of this single vulnerability.
The situation on BSC mirrored the Curve Finance exploit, albeit on a smaller scale. The Vyper vulnerability was exploited here, too, with attackers stealing nearly $73,000 worth of cryptocurrencies. These occurrences underscore the fragility of the current DeFi ecosystem and the ever-looming threats posed by vulnerabilities in programming languages and protocols.
Heroic acts and lessons learned
In the aftermath of these massive exploits, white hat hackers have worked tirelessly to thwart further attacks and recover as much lost crypto as possible. One white hat hacker, known as “c0ffebabe.eth,” safely drained and returned over 2,000 ETH (amounting to over $5 million) to the Curve platform.
These incidents are stark reminders of the need to stay current with code libraries, apps, and operating systems. This sentiment was echoed by Chanpeng Zhao, CEO of Binance, who assured users that they were unaffected by this exploit as they use Vyper version 0.3.7 or above.
CEX price feed saves DeFi. 😂🤷♂️
Binance users are not affected. Our team checked on the Vyper Reentrant Vulnerability. We only use version 0.3.7 or above.
— CZ 🔶 Binance (@cz_binance) July 31, 2023
Impact on CRV price
The recent exploit has severely impacted Curve DAO’s CRV token, which suffered a 12% price drop to $0.64 as of 12:00 UTC on Monday, July 31, data from crypto price tracker CoinMarketCap showed. This price plunge added to the tumultuous situation by possibly forcing the liquidation of Curve’s founder’s $70 million borrowing position on Aave.
In conclusion, the recent exploits on Curve Finance and BSC have sent ripples through the crypto industry. They highlight the critical importance of robust security measures and the need for constant updates in blockchain technology’s fast-paced and ever-evolving world.