On July 30th, a major security breach occurred in several stable pools on Curve Finance, resulting in significant losses. The vulnerability was linked to specific versions of Vyper, a programming language used in Ethereum projects.
The affected Vyper versions were 0.2.15, 0.2.16, and 0.3.0, all of which had a flaw in their reentrancy locks. This flaw allowed attackers to exploit the contracts, potentially draining all the funds within them. Security firm Ancilia found that 136 contracts were using Vyper 0.2.15 with reentrant protection, 98 contracts were using Vyper 0.2.16, and 226 contracts were using Vyper 0.3.0.
Vyper is a Pythonic programming language targeting the Ethereum Virtual Machine (EVM). It offers simplicity, security, and a smooth transition for Python developers entering the Web3 space. In a recent tweet by Vyper on X, they stated, “The investigation is still ongoing, but any project relying on these variants should immediately contact us.”
As a result of the exploit, several popular decentralized finance projects suffered losses, including Ellipsis, Alchemix, JPEGd, and Metronome’s stable pools. Curve Finance’s CEO later confirmed a significant loss of CRV tokens from the swap pool.
This incident triggered widespread concern and fear across the DeFi ecosystem. Many users rushed to move their funds across various pools, while white hat hackers launched a rescue operation to help affected projects. In response to the news, the utility token of Curve Finance, CRV, experienced a decline of over 5% in value.
The vulnerability in Vyper’s affected versions exacerbated the liquidity and price volatility of CRV. However, it’s important to note that certain contracts, like crvUSD, and their associated pools remained unaffected by the attack, offering some reassurance to users within the DeFi community.
Recently, a report by Todayq News on July 10, 2023, revealed that Arcadia Finance, a well-known margin lending platform, experienced a security breach where approximately $455,000 was lost. The exploit involved fake transactions on the Ethereum network and layer-2 solution Optimism. The DeFi space has been facing a series of attacks in recent months, with a staggering $204 million lost to hacks and scams during the second quarter of 2023, according to a report by Web3 portfolio app De.Fi.