We are here with another hacking news in the altcoin world. Several stable pools using Vyper on Curve Finance were hacked on July 30. Versions 0.2.15, 0.2.16, and 0.3.0 of Vyper are vulnerable to bad reentrancy locks.
What do the analysis results say for altcoin?
There is an analysis of the contracts affected by the security firm Ancilia. Accordingly, reentrant protected Vyper 0.2.15 was used in 136 contracts, Vyper 0.2.16 in 98 contracts, and Vyper 0.3.0 in 226 contracts.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
Other pools are safe. https://t.co/eWy2d3cDDj
— Curve Finance (@CurveFinance) July 30, 2023
According to initial review, some versions of the Vyper compiler do not properly implement reentrancy protection, which prevents multiple functions from executing concurrently by locking a contract. Reentrancy attacks potentially drain all funds in a contract. Reentrancy attack is a security vulnerability that can occur in blockchain technology and especially in smart contracts running on the Ethereum platform.
What is Viper?
Vyper is a contract-oriented, Python-driven programming language targeting the altcoin Ethereum Virtual Machine (EVM). Vyper’s similarity to Python makes it one of the starting points for Python developers to jump into Web3. A number of decentralized finance projects were targeted in the attack. Decentralized exchange Ellipsis made a statement. Accordingly, it reported that a small number of stable pools with BNB were hacked using an old Vyper compiler.
$13.6 million came out of altcoin Alchemix’s alETH-ETH pool. Also, $11.4 million from JPEGd’s pETH-ETH pool and $1.6 million from Metronome’s sETH-ETH pool. Altcoin Curving Finance CEO Michael Egorov later made the statement on a Telegram channel. Accordingly, 32 million altcoins with a valuation of over $22 million confirmed have been drained from the CRV swap pool.
Certain type of Curve factory pool is encountering read-only reentrancy attack and causing a total loss of $11m(@JPEGd_69) + $13m(@AlchemixFi) + …
Initial investigation founds that vyper compiler (0.2.15) doesn't implement the reentrancy guard correctly.
add_liquidity and… pic.twitter.com/avaHdtSFsm
— Tony KΞ (@tonyke_bot) July 30, 2023
rescue operation
This exploit caused panic in the DeFi ecosystem. It also caused a wave of transactions between the pools and a rescue operation by the white hats. Curve Finance’s utility token, the altcoin Curve DAO (CRV), dropped more than 5% in response to the news. As Cryptokoin.com has already mentioned, the liquidity of CRV has dropped significantly in recent months. On the other hand, this made it vulnerable to severe price fluctuations. According to Curve Finance, the crvUSD contracts and any pools with it were not affected by the attack.
Curve Finance is a DeFi protocol that enables decentralized exchange of stablecoins (DEX) within altcoin Ethereum. Accordingly, the protocol has been the target of a number of events within its ecosystem. Just a few days ago, omnipool platform Conic Finance was hacked for $3.26 million worth of altcoin ETH. Accordingly, almost all of the stolen amount was sent to a new Ethereum address in a single transaction.
53185
