Curve-Vyper exploit: The whole story so far

The decentralized concern (DeFi) ecosystem has experienced a challenging week aft a seismic information incidental led to implicit $61 cardinal being stolen from Curve Finance's pools, leaving broader contagious risks facing respective protocols.

This onslaught exposed vulnerabilities crossed DeFi projects and sparked efforts to retrieve stolen funds implicit the past fewer days.

As the assemblage navigates the aftermath of this exploit, Cointelegraph compiled the week's events, presenting a timeline of what happened since the hack connected July 30.

The Hack: Curve Finance pools are exploited for implicit $61 cardinal owed to reentrancy vulnerability

Several unchangeable pools connected Curve Finance utilizing the Vyper programming connection were exploited connected July 30, with losses reaching implicit $61 cardinal (total losses were initially estimated astatine $47 million). The vulnerability was recovered connected Vyper's versions 0.2.15, 0.2.16 and 0.3.0.

Several DeFi projects were affected by the attack. Decentralized speech Ellipsis reported that a tiny fig of unchangeable pools with BNB were exploited utilizing an aged Vyper compiler. Alchemix’s alETH-ETH besides witnessed $13.6 cardinal of outflows owed to the attack, on with $11.4 cardinal exploited connected JPEGd’s pETH-ETH pool, and $1.6 cardinal successful Metronome’s sETH-ETH pool. Curve Finance CEO Michael Egorov besides confirmed that 32 cardinal Curve DAO (CRV) tokens worthy implicit $22 cardinal had been drained from the swap pool.

Curve's Michael Egorov confirmed the theft of 32 cardinal Curve DAO tokens connected July 30. Source: Telegram/LobsterDAO. 

The BNB Smart Chain was besides a unfortunate of copycat attacks owed to the aforesaid vulnerability, with astir $73,000 worthy of cryptocurrencies connected BSC crossed 3 exploits being stolen.

Since quality of the exploit broke, achromatic chapeau and achromatic chapeau hackers person been duking it retired on-chain attempting to disrupt each other's exploit attempts oregon efforts to retrieve funds.

Preliminary investigations recovered that immoderate versions of the Vyper compiler did not correctly instrumentality the reentrancy guard, which prevents aggregate functions from being executed astatine the aforesaid clip by locking a contract.

The Impact: Vyper vulnerability exposes DeFi ecosystem to accent tests; CRV terms plummets

The information incidental exposed DeFi protocols to a accent trial in the pursuing days, raising concerns astir the interaction of the exploit connected the crypto ecosystem — successful particular, due to the fact that the vulnerability could spot each pools with wrapped Ether (WETH) astatine hazard of attack.

Vyper is simply a declaration programming connection designed for the Ethereum Virtual Machine (EVM). It is considered 1 of the astir wide utilized Web3 programming languages, meaning the bug successful 3 of its versions could endanger respective different protocols.

The exploit besides led to 1 of the largest ever maximal extractable worth (MEV) reward blocks of 584.05 Ether (ETH). According to Ethereum halfway developer “eric.eth,” the bot noticed an incoming hack successful the mempool, reproduced the tx [transaction] and frontrunned it. “To bash truthful they wage the artifact shaper a batch of ETH to beryllium beforehand of the line,” helium explained. MEV bots tin spot pending liquidation transactions and front-run them to bargain the liquidated assets archetypal astatine a discount.

— eric.eth (@econoar) July 30, 2023

Curve's CEO scurries to wage collateralized loans

Threats elsewhere could besides origin ripple effects crossed DeFi. Curve Finance laminitis Michael Egorov had astir $100 cardinal successful loans backed by 47% of the circulating proviso of the protocol's autochthonal token Curve DAO (CRV). 

However, the CRV terms dropped astir 30% pursuing the hack, falling to a debased of $0.48 amid fears that Egorov's collateralized loans would beryllium liquidated.

To trim his indebtedness position, Egorov sold 39.25 cardinal CRV tokens to respective notable DeFi investors, including Justin Sun, Machi Big Brother and DWF Labs, for a full of $15.8 million. The buyers purchased CRV astatine $0.40 per token, a 25% discount to the marketplace terms astatine the time. In addition, helium made partial payments connected 2 loans connected Aave and Frax Finance.

CEX terms provender prevents Curve terms from collapsing

The CRV token terms collapsed connected the DeFi marketplace owed to the important draining of respective pools; however, it was yet saved by the centralized speech terms feed. The CRV terms deed $0.086 connected decentralized exchanges but traded astatine $0.60 connected centralized exchanges (CEXs), preventing the token’s terms from collapsing to zero. 

The ironic incidental drew the attraction of Binance CEO Changpeng Zhao, who chuckled astatine the information that, successful the end, it was a CEX terms provender that saved the DeFi protocol.

Also reacting to an uncertain environment, Curve's autochthonal stablecoin, crvUSD, concisely depegged connected Aug. 3. The algorithmic stablecoin fell by arsenic overmuch arsenic 0.35% earlier regaining its peg to the United States dollar. Recently launched, crvUSD uses a mechanics for maintaining its peg called the PegKeeper algorithm, which ensures that the crvUSD worth is decently backed by collateral portion balancing proviso and demand.

DeFi community: Ethical hacker retrieves $5.4M for Curve Finance amid exploit

During the crisis, the DeFi assemblage stood by Curve Finance. On July 31, a achromatic chapeau hacker managed to retrieve astir 2,879 Ether worth astir $5.4 cardinal from an exploiter and returned it to Curve Finance. Hours later, different ethical hacker seized astir 3,000 ETH and returned them to Curve's deployer address.

Amid fears of liquidation surrounding Egorov's loans, Jun Du, the co-founder of Huobi, purchased 10 cardinal CRV for $4 cardinal from Curve's CEO. Additionally, Aave Chan laminitis Marc Zeller proposed the Aave Treasury bargain $2 million worthy of CRV tokens from the protocol. According to the proposal, the acquisition would awesome that DeFi players enactment the wellness of the ecosystem. 

— Curve Finance (@CurveFinance) August 3, 2023

Cross-chain lending level Abracadabra Money besides proposed expanding the involvement rate connected its outstanding loans to negociate risks associated with its vulnerability to CRV. 

The instrumentality of funds: Curve, Metronome and Alchemix offering 10% bug bounty; hacker takes it

On Aug. 3, Curve, Metronome and Alchemix jointly announced an inaugural to retrieve stolen funds from the caller exploits of Curve’s pools. The protocols offered a 10% bounty of the seized funds arsenic a reward, urging those liable for the exploit to measurement guardant and instrumentality the remaining 90%, which would bring the bounty adjacent to $7 million.

The connection came with a warrant of nary further ineligible actions oregon engagement of instrumentality enforcement. “We privation to resoluteness this successful a civilized manner," the protocols wrote to the hacker.

In little than 24 hours, connected Aug. 4, the archetypal attacker for the multi-million-dollar exploit seemingly accepted the bounty connection and began returning funds stolen a fewer days earlier. They sent backmost 4,820.55 Alchemix ETH (alETH), worthy astir $8,889,118, to the Alchemix Finance team, arsenic good arsenic 1 ETH, astir $1,844, to the Curve Finance team.

The attacker besides posted a connection that seems to person been directed astatine the Alchemix and Curve teams, claiming they would instrumentality the funds, but lone due to the fact that they didn’t privation to “ruin” the projects progressive and not due to the fact that the attacker was caught.

Message sent by the exploiter to the protocols connected Aug. 4. Source: Etherscan.

A full of $8.9 cardinal worthy of cryptocurrency has been returned astatine the clip of writing, adjacent to astir 15% of the full magnitude drained.

Additional reporting by Amaka Nwaokocha, Ezra Reguerra, Martin Young, Nivesh Rustgi, Prashant Jha, Tom Blackstone, and Zhiyuan Sun.