DeFi Protocols Hit by $24M Crypto Theft Due to Vyper Vulnerabilit
Multiple decentralized finance protocols encountered an unexpected blow as attackers exploited a Vyper vulnerability, resulting in the theft of over $24 million worth of cryptocurrencies on Sunday.
Several decentralized finance projects faced significant losses when attackers capitalized on a vulnerability within liquidity pools on Curve, a prominent automated market maker platform.
The vulnerability was linked to Vyper, a third-party programming language for Ethereum smart contracts. Curve confirmed via Twitter that liquidity pools not utilizing this language remained unaffected.
Liquidity pools, which are smart contracts that hold tokens and provide liquidity to crypto markets without the need for intermediaries, proved susceptible to attacks. A minor flaw in these pools resulted in substantial losses.
Millions of Curve DAO (CRV) tokens and approximately $14 million in wrapped ether (WETH) were stolen from the CRV/ETH pool on Curve Finance. A white hat rescue mission attempted to safeguard the funds but couldn't prevent the theft.
Some exchanges, notably Upbit, have announced that due to the attack, CRV volatility is high. As a result, Curve (CRV) deposit and withdrawal services have temporarily been suspended.
Curve Finance suffered from the vulnerability affecting multiple pools due to a bug in previous versions of the Vyper programming language.
Before this incident, $26 million worth of tokens were transferred from various Curve factory pools, affecting projects like JPEG'd, Metronome, and Alchemix. The total asset outflows related to these security breaches crossed $41 million.
Despite the losses, Curve's Discord announced that all affected pools had either been exploited or saved by a white hat hacker, reassuring users about the safety of the remaining pools.
Curve initially described the vulnerability as a "re-entrancy" attack, but later clarified that its initial impression was incorrect. Re-entrancy attacks allow attackers to exploit smart contracts and manipulate balance calculations.
Vyper, on Twitter, attributed the problem to its compiler, which failed to properly compile code written by developers, preventing re-entry guards from working as intended.
UPDATE: PeckShield has reported that the hacker has returned 2,879 ETH worth around $5.4 million to the protocol deployer address.