DeFi on high alert: Heavy toll for Curve Finance
Late yesterday evening, Curve Finance suffered a re-entry attack. Provisional reports of the hack indicated a loss of some $26 million. Except that it was a long night for the Curve team, and so was the list of break-ins. According to the latest news, the total amount of money stolen is in the region of $52 million.
Panic over Curve hack
The DeFi ecosystem is crying right now. After a major attack on the Curve protocol was reported, resulting in the loss of around $11 million, things have taken a turn for the worse.
Some time earlier, PeckShield reported that a total of $26.76 million had been stolen from Curve Finance.
According to BeInCrypto, this “reentrancy attack” did not only affect Curve’s stable pools. Damage was also reported to other DeFi protocols such as Ellipsis (huge losses in BNB), JPEG’d ($11.4 million), Alchemix ($13.6 million), MetronomeDAO ($1.6 million)… The ecosystem as a whole plummeted, to the point of posting a $2.3 billion drop in its TVL.
To make matters worse, the CRV lost 16% of its value in 24 hours. At the time of going to press, it was trading at $0.064. A fine performance compared with the Curve’s 11:15pm Sunday price of $0.59.
Vyper, the main culprit
The re-entry attack that bled Curve Finance would not have happened if Viper had done its job. This intelligent Pythonic smart contract language for EVM presented vulnerabilities to the point of allowing these heavy losses.
CoinPedia, which picked up the results of a survey conducted by Ancilia, puts forward these details:
- 136 smart contracts were using Vyper 0.2.15;
- 98 of these are deployed on Vyper 0.2.16;
- And 226 smart contracts on Vyper 0.3.0.
All this stems from a faulty re-entry lock conducive to massive, simultaneous transfers from other DeFi protocols.
The damage is done. And no one has learned the lessons of the EraLend re-entry attack that resulted in the theft of several million dollars.
Curve Finance saved by white hat hackers
Some analysts suggest that Curve’s attack may be worth more than $70 million. While most of this is currently in the hands of the wrong people, some of the funds have been recovered by good hackers, white hats and MEV bots.
One whitehat hacker holding the address “cOffeebabe.eth” claimed to have returned 2,879 ETH ($5.4 million) to the deployment address reported by Curve.
But this noble initiative, coupled with stability in crvUSD contracts, won’t stop the hemorrhaging of Curve Finance, which has recorded 32 million CRV tokens in losses.
Many questions are currently being asked, despite the Curve Finance CEO’s somewhat belated attempts at redress. Michel Egorov has made up for his team’s blunder by repaying USDT 4.63 million and depositing CRV 16 million on Aave. At present, he has debts of 59.68 million USDT on Aave, with a health rate of 1.69, according to Metaverse Post.
The white hat hackers’ approach to all this is commendable. Like last time, Binance and the other exchanges will also be able to lend a hand to avoid a bloodless DeFi. At the very least, they will freeze the assets stolen from Curve Finance.
Receive a summary of the news in the world of cryptocurrencies by subscribing to our new daily and weeklyservice so you don't miss any of the essentials of Cointribune!
La révolution blockchain et crypto est en marche ! Et le jour où les impacts se feront ressentir sur l’économie la plus vulnérable de ce Monde, contre toute espérance, je dirai que j’y étais pour quelque chose
The views, thoughts, and opinions expressed in this article belong solely to the author, and should not be taken as investment advice. Do your own research before taking any investment decisions.