DeFi on high alert: Heavy toll for Curve Finance

Late yesterday evening, Curve Finance suffered a re-entry attack. Provisional reports of the hack indicated a loss of some $26 million. Except that it was a long night for the Curve team, and so was the list of break-ins. According to the latest news, the total amount of money stolen is in the region of $52 million.

Panic over Curve hack

The DeFi ecosystem is crying right now. After a major attack on the Curve protocol was reported, resulting in the loss of around $11 million, things have taken a turn for the worse.

Update #PeckShieldAlert There are ~$52M exploited so far from @AlchemixFi, @JPEGd_69, @MetronomeDAO,@DebridgeFinance, @Ellipsisfi and #Curve CRV-ETH https://t.co/o1j83HgCB3 pic.twitter.com/OoI6KyL05e

— PeckShieldAlert (@PeckShieldAlert) July 30, 2023

Some time earlier, PeckShield reported that a total of $26.76 million had been stolen from Curve Finance.

According to BeInCrypto, this “reentrancy attack” did not only affect Curve’s stable pools. Damage was also reported to other DeFi protocols such as Ellipsis (huge losses in BNB), JPEG’d ($11.4 million), Alchemix ($13.6 million), MetronomeDAO ($1.6 million)… The ecosystem as a whole plummeted, to the point of posting a $2.3 billion drop in its TVL.

To make matters worse, the CRV lost 16% of its value in 24 hours. At the time of going to press, it was trading at $0.064. A fine performance compared with the Curve’s 11:15pm Sunday price of $0.59.

Vyper, the main culprit

The re-entry attack that bled Curve Finance would not have happened if Viper had done its job. This intelligent Pythonic smart contract language for EVM presented vulnerabilities to the point of allowing these heavy losses.

A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.

Other pools are safe. https://t.co/eWy2d3cDDj

— Curve Finance (@CurveFinance) July 30, 2023

CoinPedia, which picked up the results of a survey conducted by Ancilia, puts forward these details:

• 136 smart contracts were using Vyper 0.2.15;

• 98 of these are deployed on Vyper 0.2.16;

• And 226 smart contracts on Vyper 0.3.0.

All this stems from a faulty re-entry lock conducive to massive, simultaneous transfers from other DeFi protocols.

The damage is done. And no one has learned the lessons of the EraLend re-entry attack that resulted in the theft of several million dollars.

Curve Finance saved by white hat hackers

Some analysts suggest that Curve’s attack may be worth more than $70 million. While most of this is currently in the hands of the wrong people, some of the funds have been recovered by good hackers, white hats and MEV bots.

One whitehat hacker holding the address “cOffeebabe.eth” claimed to have returned 2,879 ETH ($5.4 million) to the deployment address reported by Curve.

But this noble initiative, coupled with stability in crvUSD contracts, won’t stop the hemorrhaging of Curve Finance, which has recorded 32 million CRV tokens in losses.

Many questions are currently being asked, despite the Curve Finance CEO’s somewhat belated attempts at redress. Michel Egorov has made up for his team’s blunder by repaying USDT 4.63 million and depositing CRV 16 million on Aave. At present, he has debts of 59.68 million USDT on Aave, with a health rate of 1.69, according to Metaverse Post.

The white hat hackers’ approach to all this is commendable. Like last time, Binance and the other exchanges will also be able to lend a hand to avoid a bloodless DeFi. At the very least, they will freeze the assets stolen from Curve Finance.