Decentralized finance (DeFi) protocols are undergoing a stress test following a critical vulnerability was found on versions of Vyper programming language, resulting in the theft of millions of dollars worth of cryptocurrencies on July 30.
A number of pools using Vyper 0.2.15, 0.2.16 and 0.3.0 have been exploited due to a malfunctioning reentrancy lock, targeting at least four liquidity pools on Curve Finance protocol. “The short answer is that everything that could be drained was drained. The targeted pools are aETH/ETH, msETH/ETH, pETH/ETH and CRV/ETH. All remaining pools are safe and unaffected by the bug,” Curve Finance said on Discord.
BlockSec, an auditing firm for smart contracts, noted that the reentrancy could potentially place all pools with wrapped Ether (WETH) at risk of attack.
Please note that this reentrancy issue is associated with the use of ‘use_eth’, which could potentially place the WETH-related pools in jeopardy! @CurveFinance , please DM us if you need any help. https://t.co/vjc1RRce7w pic.twitter.com/Wz8DXJZK7Y
— BlockSec (@BlockSecTeam) July 30, 2023
Vyper is a contract programming language designed for Ethereum Virtual Machine (EVM). It is considered one of the most widely used Web3 programming languages, which means the bug in three of its versions could have an impact on several other protocols.
The attack affects a number of decentralized finance projects, with Alchemix’s alETH-ETH reporting outflows of $13.6 million, PEGd’s pETH-ETH pool drained by $11.4 million, Metronome’s sETH-ETH pool hacked by $1.6 million and over 32 million in Curve DAO (CRV) tokens worth over $22 million drained over the past few hours. Decentralized exchange Ellipsis also reported that a small number of stable pools with BNB were exploited using an old Vyper compiler.
crv/eth pool drained minutes before a whitehack operation :(https://t.co/rhALBzkTEi
— banteg (@bantg) July 30, 2023
The incident also negatively affected CRV’s price, which was down over 12% at the time of writing to $0.64. Community members also noted a potential ripple effect on Aave’s protocol, as the falling price of CRV could force Curve founder Michael Egorov to liquidate a $70 million borrowing position on Aave.