Decentralized finance (DeFi) protocols are currently undergoing a stress test due to a critical vulnerability found in certain versions of the Vyper programming language. This vulnerability has resulted in the theft of millions of dollars’ worth of cryptocurrencies on July 30. The exploit has targeted at least four liquidity pools on the Curve Finance protocol, specifically the aETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH pools.
Curve Finance confirmed that everything that could be drained from the targeted pools was indeed drained. However, the remaining pools are safe and unaffected by the bug. The vulnerability was related to a malfunctioning reentrancy lock within Vyper versions 0.2.15, 0.2.16, and 0.3.0. Auditing firm BlockSec noted that this reentrancy issue could potentially endanger all pools using wrapped Ether (WETH), adding to the overall risk.
Vyper is a contract programming language primarily designed for Ethereum Virtual Machine (EVM). It is extensively used in Web3 programming languages, making the bug in these three versions a cause for concern across multiple protocols. As a result, various decentralized finance projects have been affected by the attack. For instance, Alchemix’s alETH-ETH reported outflows of $13.6 million, PEGd’s pETH-ETH pool was drained by $11.4 million, Metronome’s sETH-ETH pool suffered a hack of $1.6 million, and over $22 million in Curve DAO (CRV) tokens were drained.
The incident has also had a negative impact on the price of CRV, which dropped by over 12% to $0.64. Additionally, community members have raised concerns about a potential ripple effect on Aave’s protocol. The decreasing price of CRV could potentially lead Curve’s founder, Michael Egorov, to liquidate a $70 million borrowing position on Aave.
The exploit also affected decentralized exchange Ellipsis, as a small number of stable pools with BNB were exploited using an old Vyper compiler. As a result, it is crucial for other DeFi projects and protocols to be vigilant about the potential risks posed by this vulnerability.
This incident sheds light on the important of ensuring the security and robustness of smart contracts and programming languages within the DeFi ecosystem. Regular audits and testing are vital to detect and address any vulnerabilities promptly, safeguarding user funds and maintaining trust in the decentralized finance space.
Source link