Not a day goes by without a new FUD development in the crypto money markets.
On Sunday, five separate cyber-attacks were carried out on the decentralized finance (DeFi) application Curve Finance protocol, and the damage caused by these hacks was announced as $47 million in a finalized form. According to some experts, the damage could be up to 70 million dollars.
At the time of the attack, the CRV price dropped as low as $0.10 on the chain.
This event occurred as a result of a vulnerability in Vyper versions 0.2.15, 0.2.16 and 0.3.0 used by various repositories on Curve Finance.
The primary cause of the hack was a vulnerability in the reentry locks of certain versions of Vyper, a contract-oriented, pythonic programming language targeting the Ethereum Virtual Machine (EVM). This programming language is the preferred choice for Python developers migrating to Web3 because of its similarity to Python.
To elaborate on the attack, the first hack affected a $11 million pool of JPEG’d pETH-ETH, followed by ALchemix’s alETH-ETH, Pendle’s pETH-ETH, Metronome’s mETH-ETH and CRV-ETH pools. Four more attacks took place.
According to a statement from Curve Finance, some of these attacks were carried out by well-meaning hackers who wanted to protect funds in liquidity pools before malicious hackers. As soon as the hacking issue was resolved, well-meaning hackers returned the saved funds to Curve Finance.
According to initial research, it turns out that some versions of the Vyper compiler do not properly implement re-entry protection, which prevents multiple functions from executing simultaneously by blocking a contract and allowing assets to be drained from repositories.
Currently, users of other DeFi protocols are withdrawing their presence from the protocols in panic as all DeFi projects using these versions of Vyper are at risk of being hacked.
Many community users blame Alchemix, JPEG’d and Curve team members (who are actively involved in maintaining the Vyper codebase) primarily for the bug.
However, the founder of Wildcat Finance, Dr. Laurence Day stated that the problem stems from the lack of a priori controls and that there is no need to point a finger at someone.
It will be very interesting to note that the topic of MEV bots has also become a part of this story: A MEV researcher acted before the hacker and removed some money from the pETH-ETH pool in the first hack.
Curve Finance’s TVL fell 48% from $3.26 billion to $1.67 billion in one day, according to data from DefiLlama.
In fact, investors preferred to wait for the storm to pass as they feared the danger of the attack contaminating other liquidity pools. This choice made Curve Finance lose a large amount of liquidity.
Featured Notes:
After South Korean exchange Upbit suspended deposits and withdrawals, the price of CRV on another South Korean exchange Bithumb rose by about 640% to reach approximately $4.7.
On other exchanges, the CRV is trading at around $0.81.
Bithumb and Upbit climbed to third and fourth positions in CRV spot trading volume.
After the latest developments, we will continue to monitor together whether the DeFi side will continue to be injured.