Curve, the second-largest decentralized exchange and having an important role in the DeFi space, was exploited for over $70 million on 31 July 2023. The hacker initiated the attack by exploiting $11 million from the pETH-ETH pool of JPEG’d.
Several protocols were affected by the attack: Alchemix’s alETH-ETH pool experienced an outflow of $13.6 million, the msETH-ETH pool of Metronome saw $1.6 million drained, while deBridge and Ellipsis reported a combined loss of $26 million. The total value of the attack surpassed $70 million. On-chain data showed that the MEV bot front-run the attack, and an address with the name c0ffeebabe.eth returned 2,879 ETH back to the Curve deployer contract. Consequently, Curve was exploited for approximately $47 million. Additionally, Curve Finance CEO Michael Egorov confirmed that 32 million CRV tokens, worth $22 million, were drained from the CRV-ETH pool.
The exploitation caused panic within the Curve community, promoting a wave of liquidity withdrawals from entire pools on Curve. As a result of this incident, Curve’s total value locked (TVL) experienced a drastic plummet, dropping to $1.67 billion, which represented a 50% decrease within a mere two days after the attack.
Afterward, Curve announced that the factory pools faced a bug in the smart contracts that were written using versions of the Vyper coding language. According to information on their website, Curve operates a total of 232 different pools, and only those pools utilizing Vyper versions 0.2.15, 0.2.16, and 0.3.0 were at risk. The hacker exploited Vyper complier and not Curve’s smart contracts, meaning that other pools remained unaffected and secure.
Vyper is a programming language designed to target the Ethereum Virtual Machine (EVM). Its similarity to Python makes it a starting point for Web 2 developers looking for opportunities in Web 3 space.
Post-Curve Attack Concerns
The account named “señor doggo,” a Vyper contributor revealed that the worst part of the Curve attack might be the hacker’s deep dive into Vyper’s history to find the bug. The attack could have been carried out by a group or team, and the execution was conducted with a good combination. There are reasons to suspect that the hacker was funded to execute the plan, as discovering this particular bug would have required weeks or even months of research.
Instead of exploiting the protocols as usual, the hackers turned to new sources, which demanded significant effort and investment. They focused on the compiler, an aspect that had seemingly gone unnoticed by the market. Why did they choose to attack Vyper?
The history of Vyper has seen little change, and its codebase is smaller and easier to read. Most compilers have not undergone thorough audits. They often experience crucial changes, making the auditing process challenging. Even if they are audited, they might become obsolete soon after multiple upgrades. Moreover, there hasn’t been a good reason to audit the compiler when it makes more sense to audit the final product.
As a result, no one had been motivated to search for bugs in the compiler, especially the versions released in the past. Consequently, the hacker found a bug to exploit. This raises concerns that other compilers could be the next targets. Furthermore, other infrastructures that have not been given much attention may also become potential targets.