Curve protocol was attacked on Sunday, resulting in more than $50 million worth of cryptocurrency being drained from its vaults. The hackers used a vulnerability in the Vyper programming language used for the platform’s code.
Curve is an automatic decentralized exchange (DEX) allowing automatic swaps of stablecoins. The crypto assets are placed by the users (liquidity providers) in its vaults and all operations are performed by blockchain smart contracts.
One of these smart contracts, written in a faulty Vyper edition, was reported to have a ‘reentrancy' bug by BlockSec, a blockchain security firm.
It is worth noting that leading DeFi players blame the security firm for making the bug public and opening the door for hackers, instead of communicating it to the developers. BlockSec responded to this by posting an hourly log of events, arguing that hackers learned about the bug at exactly the same time as them.
[..]We located this WETH pool (0x8301) issue at 17:10 UTC on July 30. Unfortunately, we cannot DM @CurveFinance on Twitter because their DM is not allowed. So we shared this finding with a trusted channel and asked him to help forward this finding to the protocol at 17:16 UTC. After that, we actively monitored this pool for any suspicious activities. [..] Two hours later, at 19:08 UTC, unfortunately, our internal system reported an attack on this pool. This means attackers have also located the same issue and successfully launched the attack.
Curve protocol and Vyper programming language’s Twitter accounts confirmed the problems and posted instructions for their users.
At the time of writing the amount stolen from the protocol is estimated to be well above $50 million. Interestingly, a ‘white hat’ hacker managed to catch and return nearly $5.5 million of it, by front-running the attacker’s transactions on the blockchain.
CRV, Curve's DAO token dropped 14% as a result of the exploit. DeFi markets are interrelated, and such incidents rarely happen in isolation. This one was no exception and there were reports of significant liquidation risks on the positions that Curve owner and largest CRV holder, Michael Egorov, maintains on automated DeFi lending platforms. Bankless reported panic on related DeFi lending markets.
Curve is considered one of the most advanced projects in DeFi. The formula that powers its operations is considered a brilliant example of a non-custodial financial solution. Yet, the surrounding infrastructure is not mature.
This is the second time the project has been attacked. In August last year, hackers replaced its front-end website, resulting in the phishing of $570,000 of user funds. In both cases, it was not the direct fault of the protocol. Yet, to compete with banks and centralized financial service providers in terms of security, DeFi projects need to bring their product’s security up to standard banking grade.