On Sunday, July 30, 2023, the world of decentralized finance was rocked by a major attack exploiting a vulnerability in the Vyper programming language used by several Curve protocol liquidity pools. How did the attackers manage to steal over $41 million?
A flaw in the Vyper language is to blame
Attackers exploited a vulnerability in certain liquidity pools of Curve, the well-known decentralized finance protocol (DeFi). The vulnerability has been traced back to Vyper, an alternative programming language for Ethereum smart contracts.
Indeed, several of Curve’s pools using Vyper were exploited, resulting in losses estimated at $41 million according to security firm BlockSec. In fact, Vyper versions 0.2.15, 0.2.16 and 0.3.0 were found to be vulnerable to a reentrance attack.
In concrete terms, this occurs when a smart contract function makes an external call to another unreliable smart contract. The latter then makes a recursive call to the original function with the aim of draining funds. As the smart contract fails to update its state before sending funds, the attacker can continuously call the withdrawal function to drain funds.
According to an analysis by security firm Ancilia, 136 smart contracts used Vyper 0.2.15, 98 smart contracts used Vyper 0.2.16 and 226 smart contracts used Vyper 0.3.0 :
We did a fast run on github.
136 contracts found compiled with vyper 0.2.15 and used reentrant protection;
98 contracts found with 0.2.16 version
226 contracts found with 0.3.0 version– Ancilia, Inc (@AnciliaInc) July 30, 2023
Thus, several pools have been completely drained of their liquidity:
- Curve’s CRV-ETH pool: $14 million loss
- Alchemix alETH-ETH pool: losses of $13.66 million;
- JPEG’d pETH-ETH pool: $11.4 million loss;
- Metronome’s sETH-ETH pool: losses of $1.6 million.
On Twitter, Vyper explained that the malfunction was due to the programming language compiler, which had failed in some cases. As a result, protection devices against reentrance attacks failed to work.
The CRV token drops sharply
Following the attack on Curve’s pools, the price of CRV began a rapid fall. CRV fell from $0.70 to $0.59 in the space of just 60 minutes, a drop of around 16%
Evolution of the CRV price following the attack
