Curve Finance loses millions as hackers exploit the Vyper bug – here’s a rundown
- A Vyper bug that caused some versions of its compiler to malfunction has put Curve Finance at risk of liquidation.
- CRV’s price plummets as holders take to distributing their tokens.
The decentralized finance (DeFi) vertical of the crypto ecosystem suffered yet another setback during the intraday trading session on 30 July due to a bug that impacted the performance of an Ethereum virtual machine (EVM) compiler Vyper.
PSA: Vyper versions 0.2.15, 0.2.16 and 0.3.0 are vulnerable to malfunctioning reentrancy locks. The investigation is ongoing but any project relying on these versions should immediately reach out to us.
— Vyper (@vyperlang) July 30, 2023
An EVM compiler is a program that converts code written in a high-level programming language, such as Solidity, into bytecode that the EVM can execute.
The Vyper compiler, a commonly used compiler by many projects within the ecosystem, is a Python-based compiler for the Vyper programming language. It takes Vyper code as input and converts it into bytecode that can be executed by the Ethereum Virtual Machine (EVM).
In the aftermath of the malfunction, different parties, including DeFi protocols, founders, and other projects, are scampering to cope with the situation. It then becomes imperative to examine what occurred and understand its implications.
Oh Vyper, why hath thou forsaken “me?”
On 30 July, Vyper confirmed that the 0.2.15, 0.2.16, and 0.3.0 versions of its compiler failed to properly implement reentrancy lock.
In the context of smart contracts and decentralized applications (Dapps), a reentrancy lock is a security mechanism that prevents the calling of a function in a smart contract multiple times before the previous call has been completed. This security measure is put in place to prevent malicious actors from repeatedly calling smart contract functions that withdraw funds.
As expected, attackers exploited this vulnerability and repeatedly called the function across a number of protocols that use the affected versions of Vyper compilers.
Curve Finance took the most beating
These attackers primarily targeted Curve Finance [CRV] pools, and initial estimates revealed that as much as $70 million was exploited.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
Other pools are safe. https://t.co/eWy2d3cDDj
— Curve Finance (@CurveFinance) July 30, 2023
Curve pools are a type of automated market maker (AMM) designed to provide efficient and low-cost trading for stablecoins. As confirmed in a message on Curve’s website, the pools affected included alETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH.
Is your portfolio green? Check out the CRV Profit Calculator
To forestall further hacks and funds drain, Curve stated that
“all affected pools have been drained or white hacked, and the team is assessing the situation with affected teams,”
All was not well with CRV
Curve’s founder Michael Egorov was also caught in the whirlwind. Before now, Egorov had used some of his CRV tokens as collateral to borrow from various lending protocols, with the largest loan taken from Aave.
Mich confirming hacker got the large CRV pool.
That's probably enough CRV to push Mich's $100M+ of CRV into liquidation on Aave, Inverse and Abracadabra if its not absorbed.
This is going to be nasty for those protocols and for Curve.
Can rebuild but possibly brace for impact https://t.co/5LHPE8jXxt
— Adam Cochran (adamscochran.eth) (@adamscochran) July 30, 2023
His collaterals were at risk of liquidation. The continued decline in CRV’s price might force it to exchange hands below the liquidation threshold. When traders caught a whiff of the exploit, many of them took to “dumping” their CRV holdings. According to a tweet published by Bankless:
“Centralized exchanges show $CRV price only bottoming out at $0.583, but the token managed to hit lows of $0.109 onchain. After the CRV/ETH pool was hacked, onchain $CRV liquidity became extremely thin, leading to onchain price volatility.”
Egorov had been making regular repayments on his loans in case of increased CRV sell-offs. And the liquidation threshold for his Aave loan had been adjusted to $0.37 per CRV token. However, the depletion of liquidity on Curve’s largest pool CRV/ETH, still puts his collateral at risk of automatic liquidation by Aave.
Moreover, lenders have begun to remove their pools from lending protocols to hedge against losses. For example, the use of Aave’s USDT pool remained above 50%. Borrow rates have spiked above 90%, putting Egorov’s position at risk of liquidation if rates do not drop in the coming days.
As noted by digital assets research firm ASXN, Curve faces the risk of being destabilized as the attackers who were yet to sell their stolen CRV tokens might “dump” the same in the protocol’s CRV/ETH pool, further pushing down the value of the alt. If this happens, Egorov will be liquidated.
CRV exploiter hasn't sold any CRV tokens yet & likely cannot use a CEX for execution due to KYC limitations.
If dumped into the CRV/ETH pool, with a remaining $8.7 Mil in liquidity, the Curve founder would likely get liquidated. pic.twitter.com/0oXM2AKXS6
— ASXN (@asxn_r) July 30, 2023
Pray for your CRV-holding friends
At press time, CRV exchanged hands at $0.6512. Per data from CoinMarketCap, CRV suffered the most decline in the past 24 hours, logging a 12% drop in value.
On a daily chart, CRV sell-offs persisted. The Relative Strength Index and the Money Flow Index revealed that the alt was oversold at press time.
Likewise, its Chaikin Money Flow rested below the zero line, confirming increased liquidity exit from the CRV market.