In the past 24 hours, hacking attacks for two altcoin projects have come to the fore. NFT lending platform JPEG’d suffered a loss of $11 million. Moreover, the JPEGG token lost 40 percent of its value. On the other hand, CRV, the token of popular DeFi platform Curve Finance, fell 15 percent on the news of the hack. Here are the details…
NFT platform JPEG’d hacked: Altcoin price drops 40 percent
On July 30, 2023, leading cybersecurity firm Peckshield made an announcement. NFT has announced that its lending project JPEG’d (JPEG) has come under a devastating attack. It reported losses of up to 6,106 WETH, valued at over $11 million. According to security experts, hackers have used a technique that has become increasingly common in recent months. They used the read-only reentrancy attack. In simple terms, this attack involves repeatedly executing withdrawal commands before oracle updates the correct balance. It allows manipulation of the platform’s price reference system.
As Cryptokoin.com has reported, the attack method has come up with many projects. Some of these are Conic Finance ($3.2 million), Era Lend ($3.4 million), and Sturdy Finance ($800,000). Thus, it highlighted its growing popularity among malicious actors. Following the news of the attack, the JPEG token’s price dropped by a staggering 40 percent. It revealed the strong response of the altcoin market to cybersecurity events. All in all, the attack on the JPEG’d project is a bitter lesson in the importance of security in the cryptocurrency industry. Projects and platforms should focus on improving the reliability of their systems.
What happened in the Curve hack?
In the last 24 hours, Curve Finance, the largest stablecoin exchange, has faced a series of relentless attacks on its liquidity pools. According to an announcement from the project, several stable repositories, including alETH, msETH and pETH using the Vyper 0.2.15 programming language, have fallen victim to repeated recentering attacks. In a tweet by Curve Finance, “A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 were exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will keep the community informed as developments occur. Other pools are safe.” said.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
Other pools are safe. https://t.co/eWy2d3cDDj
— Curve Finance (@CurveFinance) July 30, 2023
The problems started when JPED’d, which we reported above, announced an attack on the pETH-ETH liquidity pool, resulting in losses of up to 11.4 million USD. Shortly after, the Metronome project’s sETH-ETH pool suffered a similar breach. Then more than 1.6 million USD was withdrawn. Then there were reports of attacks on repositories from projects like Alchemix, Debridge, Elippsis, and more. As reported by security firm BlockSec, a total of over 41 million USD was withdrawn from various pools on Curve due to the aforementioned vulnerability.
Aave tried to protect users in Curve attack
Wintermute Research Manager Igor Igamberdiev explained that the attacker carried out a recentering attack on factory pools using a specific version of the Vyper programming language. More than $100M of assets in these factory pools are currently at risk due to the Vyper language bug. However, Vyper explained that only versions 0.2.15, 0.2.16, and 0.3.0 are vulnerable to attack because these versions do not have the anti-reentrancy feature. To mitigate the impact of the attacks, Mimaklas, a member of the project team, announced that the liquidity of all the affected pools was withdrawn by teams of white hat hackers. After the initial attack took place, the value of the Curve DAO’s token, CRV, fell by over 15 percent. It is currently changing hands at $0.64.
Meanwhile, in a swift response to the ongoing brutal attacks on Curve Finance liquidity pools, Aave Ethereum v2 release took precautionary measures by disabling the CRV borrowing functionality. The decision to disable CRV borrowing is in line with the guidelines set out in the Aave Improvement Proposal (AIP-125), which authorizes Aave management to restrict the borrowing functionality of certain assets in an emergency. This measure has been taken to preserve the integrity of the platform and protect users’ funds during turbulent times.
As of now, Aave v2 has a substantial supply of over 300 million CRV tokens, with around 95 percent of them originating from CRV founder Michwill. However, borrowing activity for the altcoin CRV has been relatively low, with only about 35 million CRV borrowed so far. Aave v2 aims to reduce the impact of these attacks on the platform by temporarily disabling the CRV borrowing functionality.
53654
