Several Curve Finance liquidity pools were recently attacked on July 30th, exposing a vulnerability in the programming language Vyper. Vyper is a contract programming language specifically designed for the Ethereum Virtual Machine (EVM). Curve Finance is a prominent decentralized finance (DeFi) protocol known for its liquidity services, and this code vulnerability has put approximately $100 million worth of digital assets at risk.
The vulnerability was discovered in versions 0.2.15, 0.2.16, and 0.3.0 of Vyper, leading to a malfunctioning reentrancy lock. As a result, millions of dollars were drained from four Curve pools, namely aETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH. This flaw in three variants of Vyper could potentially impact other protocols as well.
A Twitter account named BlockSec warned Curve Finance about the reentrancy issue, particularly associated with the use of ‘use_eth’, which endangered the WETH-related pools. They offered assistance to Curve Finance, advising them to reach out if needed.
The incident resulted in a collapse in the price of Curve Finance’s native token, CRV, on decentralized exchanges (DEX). The price dropped to $0.086 on DEX but remained at $0.60 on centralized exchanges (CEX), saving the token from reaching zero value. This was made possible due to the centralized exchange price feed.
Curve pools rely on Chainlink’s oracle system, which incorporates various price feeds, including those from centralized exchanges. If it weren’t for the CEX price feed, Curve Finance would have faced a complete collapse. This ironic turn of events caught the attention of Binance CEO Changpeng Zhao, who found amusement in the fact that a CEX price feed ultimately saved the DeFi ecosystem.
Zhao emphasized that Binance was not affected by the Vyper vulnerability since they had updated their code to the latest version, highlighting the importance of regularly upgrading code libraries to prevent such vulnerabilities.
The bug in early versions of the Vyper code is believed to be at least 1.5 years old, and the attacker is suspected of extensively researching the release history to exploit a significant protocol with millions at stake. A contributor to the Vyper program on Twitter suggested that the amount of effort and resources put into the exploit might indicate a state-sponsored attack.
This incident highlights the importance of robust code and constant vigilance in the realm of DeFi. It serves as a reminder that even well-established protocols and programming languages can still have vulnerabilities that can be exploited. Developers and projects must continuously update and enhance their code to ensure the security of users’ assets.
In conclusion, the recent attack on Curve Finance liquidity pools due to a vulnerability in Vyper poses a significant risk to the DeFi ecosystem. Despite the substantial loss suffered, the use of a centralized exchange price feed prevented the collapse of Curve Finance’s native token. This incident also underscores the need for regular code maintenance and upgrades to mitigate vulnerabilities in the fast-paced world of decentralized finance.
Source link