The decentralized finance (DeFi) world was shaken on July 30, 2023, when Curve Finance, a prominent decentralized exchange (DEX), fell victim to a significant attack.
The Hack Unveiled
Initially, it appeared to be a conventional reentrancy attack, a method employed by hackers to infiltrate smart contracts.
However, a deeper investigation uncovered a more fundamental vulnerability rooted in the Vyper programming language, which is used for Ethereum smart contracts.
This revelation exposed a glaring security flaw that led to the theft of a substantial sum.
The attack targeted multiple projects:
- JPEG’D: Lost $11.5 million from the pETH-ETH pool.
- Alchemix: Suffered a loss of $20.5 million from the alETH-ETH pool.
- Metronome: Lost $1.6 million from the msETH-ETH pool.
- Curve Finance: Witnessed a theft of $24.2 million from the CRV-ETH pool.
Surprisingly, another leading DEX, Ellipsis, reported a loss of $78,000 in an attack on their BNB stable pools.
In total, around $69 million was stolen, although some refunds were later initiated, bringing the net loss to roughly $20 million.
A Deeper Root Cause
The initial suspicion of a “read-only reentrancy” issue was only the tip of the iceberg.
The real problem lay in an older version of Vyper, including versions 0.2.15, 0.2.16, and 0.3.0, which harbored a previously undetected 0-day compiler bug.
This critical vulnerability disrupted non-reentrant protection and allowed attackers to interfere with transactions between key functions, manipulating LP token prices, and draining pools.
Unfortunately, this vulnerability had previously impacted projects like Conic Finance and EraLend.
Tools and Techniques Exploited
The hackers utilized a combination of tactics to exploit Curve Finance:
Price Manipulation with Vyper Compiler
The Vyper compiler vulnerability enabled the attackers to manipulate stablecoin prices in various pools, such as 3pool, sUSD, renBTC, and saave. These manipulated assets were then traded for other tokens at inflated rates.
Flash Loans
The attackers leveraged flash loans, enabling them to borrow over $100 million worth of stablecoins from Aave, a DeFi lending platform. Flash loans do not require collateral if repaid in the same transaction, magnifying the impact of the attack.
Anonymity
To cover their tracks and avoid law enforcement, the hackers utilized multiple wallets, mixing services, and decentralized exchanges (DEXs). They even returned some of the stolen funds to Curve to mitigate potential legal repercussions.
The Heroes of the Story
The white-hat community played a vital role in recovering 70% of the losses.
Miner Extractable Value (MEV) bots and white hats from the ETH Security Community engaged in front-running the attackers’ transactions, an unusual occurrence in the crypto world.
One MEV bot operator, C0ffeebabe.eth, returned 2,879 ETH to Curve using a maximal extractable value Ethereum-arbitrage trading bot. Despite these efforts, the quest to recover the remaining stolen funds continued.
Collaboration and unity became the way forward. Curve Finance, Metronome, and Alchemix joined forces, offering a 10% reward (equivalent to $7 million) and pledging no legal action if the entire stolen amount was returned by August 4.
Remarkably, the hackers returned a portion of the stolen funds to Alchemix Finance and Curve.fi.
The aftermath of the attack had a significant impact on the DeFi market, raising concerns about its security and highlighting potential vulnerabilities.
Implications and Lessons
The Curve Finance hack reverberated throughout the DeFi sector, emphasizing the following key points:
- DeFi’s Youth and Risks: DeFi remains a relatively young industry with inherent risks, including vulnerabilities in smart contracts and protocol inefficiencies.
- Potential for Regulatory Scrutiny: Cyberattacks in the DeFi space may lead to increased regulatory scrutiny, potentially resulting in legal actions and stricter regulations.
- Importance of Security: Security remains a significant concern in DeFi, emphasizing the need for robust security measures, audits, and responsible disclosure of vulnerabilities.
- Individual Due Diligence: Users must conduct thorough research and exercise caution when investing in DeFi projects, while also taking steps to secure their assets through secure wallets and prudent practices.
Photo by Mariia Shalabaieva on Unsplash