Just last week, everybody was discussing the hacking incident at the decentralized Curve exchange. Now everything seems better, but we should still take a closer look at the details of the exploit to try and see what lessons can be learned from it.
An Overview of the Incident
In late July of 2023, the Curve Finance DeFi protocol has been exploited. Fraudsters gained access to assets from platform pools due to vulnerabilities in Vyper smart contracts programming language, as confirmed by its developers. The vulnerability allowed attackers to create smart contracts that execute transactions without user authorization. Information about the breakthrough in security systems was posted on the protocol's microblog.
Curve Finance's vulnerability allowed fraudsters to access assets worth over $47 million. Also, Vyper's problems allowed attackers to conduct a similar attack on the Binance cryptocurrency exchange blockchain - BNB Smart Chain (BSC) - and withdraw $73,000 worth of assets from it.
What Exactly Happened to Curve Finance?
Curve Finance experienced a significant hack that occurred in two stages. Initially, hackers stole approximately $26 million due to a reentrancy vulnerability. This was followed by the second stage of the attack, during which 7.1 million CRV ($4.4 million) and 7,680 Wrapped Ether ($14.37 million) were withdrawn from the CRV-ETH Curve Finance pool.
The hackers were able to exploit a vulnerability in an outdated Vyper programming language version. As a result, TVL fell from $3.26 billion to $1.72 billion, representing a decrease of nearly 46% within a 24-hour period.
What is Vyper?
Vyper is a contract-oriented, Python-based programming language designed for the Ethereum virtual machine. The developers have identified that the reentrancy exploit exists in versions 0.2.15, 0.2.16, and 0.3.0.
According to Ancilia analysts, approximately 460 protocols utilize vulnerable software.
According to Curve's investigation, some code compilers incorrectly implemented re-login protection, which prevented multiple functions from being performed simultaneously by blocking the contract. This error allowed attackers to withdraw funds from multiple projects.
Curve DeFi projects, including JPEG's, MetronomeDAO, deBridge, and Ellipsis, were affected by the attack. The pool with the most losses is alETH-ETH Alchemix, with a value of $13.6 million.
Price Impact
According to DeFi Llama, the total locked value of Curve Finance per day almost halved - from $3.25 million to $1.73 million.
As a result of the attack, the value of the native Curve Finance (CRV) token dropped by 14%, although it has recovered by now.
The founder of the crypto platform Matrixport, Jihan Wu, expressed support for the project and stated that he had purchased CRV tokens during the fall. In his opinion, Curve Finance is one of the most important infrastructures in the upcoming large-scale wave of tokenization of real assets.
Upbit, the largest South Korean exchange, announced that CRV volatility had increased due to an attack. As a result, the platform suspended all coin deposits and withdrawals.
“Falling liquidity is never a good thing for markets, especially stablecoins, which need to trade in a very tight range,” said Clara Medalie, director of research at Kaiko.
Impact on the DeFi Sector
At the time of the incident, over 450 liquidity pools were using vulnerable Vyper versions. Therefore, the number of victims and the extent of losses could be significantly higher.
The incident affected the Alchemix, JPEG's, MetronomeDAO, Ellipsis, and deBridge projects.
The most affected pools were:
- pETH/ETH, the damage was 6106.65 WETH;
- msETH/ETH - 866.55 WETH~ $1.6 million) and 959.71 msETH
- alETH/ETH - 7258.7 WETH~million million) and 4821.55;
- CRV/ETH - 7,193,401.77 CRV~ $5.1 million at the time of the incident), 7680.49 WETH~ $14.2 million) and 2879.65 ETH
Additionally, the Arbitrum Tri-Crypto pool could be affected. Vyper auditors and developers could not confirm the exploit, but the Curve team advised liquidity providers to exit as a precaution.
Despite the impossibility of implementing emergency DAO measures to halt the pool or impact user funds, it was feasible to suspend the emission of additional CRVs. Michael Egorov, founder of Curve Finance, told Bloomberg that the DeFi industry would survive the hack.
Media and Community Reactions
Tweets that Exacerbated the Incident
In the first few minutes following the hack, analysts from BlockSec and PeckShieldAlert shared excerpts from the open-source Vyper compiler on the social network X (formerly known as Twitter). These excerpts revealed the specific details of the vulnerability.
These tweets provided an opportunity for third-party hackers to "join the hack" and worsened the situation. Such actions were condemned by the community, and the original posts were deleted.
After facing a wave of criticism, BlockSec representatives responded by stating that their decision to publish a tweet containing the attack details was driven by the urgency to promptly alert the community, as the Curve Finance team was unavailable for contact.
At least in part due to the Twitter activity, pools were targeted by multiple burglars. However, among them were "white hat" hackers, thanks to whom the project recovered some stolen funds. White Hat, operating under the nickname c0ffeebabe.eth, returned 2,879 ETH (worth approximately $5.4 million) to the decentralized finance protocol (DeFi) Curve Finance. The money was diverted from the CRV-ETH liquidity pool during the exploit.
Using the MEV bot, the defender was able to stay ahead of the attacker, protecting 2879 ETH. He later returned this amount to Curve, according to the latest data.
However, the amount returned is only a fraction of the total stolen money. In total, Curve Finance's vulnerability allowed fraudsters to access assets worth over $47 million. In addition, vulnerabilities in Vyper allowed attackers to carry out a similar attack on the Binance cryptocurrency exchange's blockchain - BNB Smart Chain (BSC).
Views of Community Members
Generally, at the time of the incident, it's been said that such a situation could potentially cause unprecedented panic and a decrease in liquidity within the DeFi sector. However, things seem to be back on track for Curve Finance. The compiler problem has now been resolved. The developers clarified that the attacker had to "thoroughly investigate" the version history to find this — not immediately obvious — problem.
JPMorgan analysts have concluded that the Curve attack's consequences on the DeFi ecosystem seem localized.
A DeFi researcher, nicknamed Ignas, stated that the Curve Finance incident "has undermined confidence in decentralized finance."
"If a protocol that has been running without problems for three years suddenly experiences an exploit, it raises concerns about the safety of other well-established platforms such as AAVE, Compound, or even Uniswap." There are significant risks associated with hacking Uniswap v4 due to its monolithic design of smart contracts, as all assets would become instantly vulnerable, he added.
Ignas noted that several protocols, whose synthetic assets rely on the CRV token's liquidity, may owe debts to users. In particular, he mentioned the liquidation of CRV, AAVE, Frax, and Abracadabra, totaling $100 million, following the attack. Also, in his opinion, the incident could slow down institutional DeFi adoption.
At the same time, Rune Christensen, co-founder of MakerDAO, believes that the recent exploit in Curve Finance will be the "final collapse" before the cryptocurrency market experiences new growth. Nostra founder David Garay agrees with him: "It could also be a turning point when lending protocols finally begin proactive monitoring of online liquidity for each specific type of collateral."
Curve Hacker Returns Some Stolen Assets
Curve Finance offered a reward of $1.85 million for identifying the hackers who breached the platform to bring them to trial. Soon, an unknown hacker initiated a refund. At the time of writing, he had returned assets worth more than $20 million.
In the message regarding the transaction, the hacker explained that his decision was not driven by fear of being caught. Instead, it was driven by his unwillingness to destroy the project. The JPEG's project also confirmed the return of 5,494 WETH (more than $10 million). The hacker received a 10% reward of 610.6 WETH ($1.1 million).
Conclusion
Given the widespread use of CRV as a collateral asset, the liquidation cascade could pose a significant challenge for the DeFi sector. This sector has yet to fully recover from a prolonged bear market.
But it seems that the developers contained the damage caused by this hack. Additionally, Curve CEO Mikhail Egorov took matters into his hands, liquidating his assets to pay off the debts and avoid a DeFi crash.
Unfortunately, not all cryptocurrency stories end positively. CertiK says in the second quarter of 2023 alone, thefts worth $313.6 million were committed. Of these, less than half were returned, and the majority of the crimes have not yet been solved.