A vulnerability in the Vyper programming language widely used by DeFi protocols like Curve Finance led to the exploit of multiple Curve liquidity pools on Sunday, July 30.
Several Curve Finance liquidity pools were attacked on July 30 due to a vulnerability found in the Vyper programming language. Vyper is a contract programming language created for the Ethereum Virtual Machine (EVM).
Curve Finance is one of the key decentralized finance (DeFi) protocols due to its key liquidity services, and the code vulnerability has put nearly $100 million worth of digital assets at risk.
The vulnerability was found in the version 0.2.15, 0.2.16 and 0.3.0, leading to a malfunctioning reentrancy lock. As a result, millions were drained from four Curve pools, namely aETH/ETH, msETH/ETH, pETH/ETH and CRV/ETH. The flaw in three of its variants may have an effect on a number of other protocols.
Please note that this reentrancy issue is associated with the use of 'use_eth', which could potentially place the WETH-related pools in jeopardy! @CurveFinance , please DM us if you need any help. https://t.co/vjc1RRce7w pic.twitter.com/Wz8DXJZK7Y
— BlockSec (@BlockSecTeam) July 30, 2023
The price of the native token of Curve Finance (CRV) collapsed on the DeFi market due to the significant draining of several pools; however, it was eventually saved by the centralized exchange price feed. The CRV price hit $0.086 on decentralized exchanges but traded at $0.60 on centralized exchanges (CEXs), preventing the token’s price from collapsing to zero.
Related: Pro-XRP lawyer claims SEC prioritizes corporate capitalism over investors
Curve pools use Chainlink’s oracle system that incorporates several price feeds, including centralized exchanges. If not for the CEX price feed, Curve Finance would have collapsed. This ironic incident drew the attention of Binance CEO Changpeng Zhao, who chuckled at the fact that, in the end, it was a CEX price feed that saved the DeFi protocol.
Zhao noted that the Vyper vulnerability did not impact Binance, as the crypto exchange has updated the code to the latest version. He also reminded everyone of the importance of code library upgrades.
CEX price feed saves DeFi. ♂️
— CZ Binance (@cz_binance) July 31, 2023
Binance users are not affected. Our team checked on the Vyper Reentrant Vulnerability. We only use version 0.3.7 or above.
It's important to stay up-to-date with code libraries, apps and OS. And stay #SAFU https://t.co/0GFv86KP9R
The bug in the earlier versions of the Vyper code is believed to be at least 1.5 years old, and the exploiter is believed to have dug deep in the release history to find an exploitable issue for a large protocol with millions of dollars at stake. A Vyper program contributor on X (Twitter) suggested the amount of time and resources put into the exploit indicates it might be a state-sponsored attack.
Collect this article as an NFT to preserve this moment in history and show your support for independent journalism in the crypto space.
Magazine: Should crypto projects ever negotiate with hackers? Probably
You can get bonuses upto $100 FREE BONUS when you:
💰 Install these recommended apps:
💲 SocialGood - 100% Crypto Back on Everyday Shopping
💲 xPortal - The DeFi For The Next Billion
💲 CryptoTab Browser - Lightweight, fast, and ready to mine!
💰 Register on these recommended exchanges:
🟡 Binance🟡 Bitfinex🟡 Bitmart🟡 Bittrex🟡 Bitget
🟡 CoinEx🟡 Crypto.com🟡 Gate.io🟡 Huobi🟡 Kucoin.
Comments