Curve, leader in DeFi, victim of a $52 million hack!

Last Sunday, the world of decentralized finance (DeFi) was rocked by a major attack targeting the Curve protocol’s liquidity pools. The attackers exploited a flaw in the Vyper programming language, resulting in considerable losses, estimated at $52 million. The attack had a major impact on the DeFi ecosystem, affecting several important projects.

Vyper programming language compromises DeFi Curve protocol

On Sunday July 30, 2023, the world of decentralized finance was violently shaken by a devastating attack, resulting in major losses for users of the Curve protocol, reaching a total of 52 million.

The attack took place in two distinct phases:

In the first phase, several DeFi projects such as JPEG’d, Alchemix and MetronomeDAO have been targeted, resulting in losses of around 26 million dollars.

The second phase specifically targeted a Curve cash pool, CRV-ETH, where the attackers emptied 7.1 million CRVs and 7,680 ethers.

After an investigation, the developers have discovered a flaw in the Vyper programming language. In fact, Vyper versions 0.2.15, 0.2.16 and 0.3.0 showed vulnerabilities that enabled attackers to consistently divert funds from vulnerable pools.

According to the analysis carried out by Ancilia, 136 smart contracts used Vyper version 0.2.15, 98 used version 0.2.16 and 226 used version 0.3.0. This explains the extent of the damage suffered.

In a message posted on Twitter, Vyper explained that the failure was related to the programming language compiler, which had failed in certain situations.….

Ethical hacker intervenes and saves $5.4 million

After the attack, ethical hackers, also known as “whitehats“, intervened to try to recover some of the funds.

A MEV bot operator, “c0ffeebabe.eth“, surprised the DeFi ecosystem by recovering 2,879 ETH, equivalent to around $5.4 million.

Thanks to him, the total loss is “only” $46.5 million.

Following the attack on Curve’s pools, the platform’s native token, CRV, suffered a drop in value of around 18% in 24 hours, with the price dropping from $0.70 to $0.59. The Curve protocol has assured us, however, that the attack did not affect its crvUSD stablecoin or the protocol’s other pools.

Although the ethical hacker has made efforts to recover these funds, the losses remain significant and the amount lost remains considerable. This attack highlights the urgent need to reinforce security in the DeFi ecosystem to prevent such losses in the future. And in the end, the best place to keep your assets is outside the protocols, in a cold wallet.