On July 30, there were exploitations of several stable pools on Curve Finance that used Vyper, resulting in significant losses of approximately $24 million at the time of reporting. The vulnerabilities were identified in Vyper versions 0.2.15, 0.2.16, and 0.3.0, which were found to have malfunctioning reentrancy locks.
Vyper, a contract-oriented programming language targeting the Ethereum Virtual Machine (EVM) and known for its Pythonic features, reported that ongoing investigations revealed the issues with the mentioned versions. Projects relying on these versions were urged to contact Vyper immediately.
According to security firm Ancilia’s analysis of affected contracts, 136 contracts were using Vyper 0.2.15 with reentrant protection, 98 contracts were using Vyper 0.2.16, and 226 contracts were using Vyper 0.3.0. The vulnerability in the affected Vyper compiler versions allowed reentrancy attacks, which could potentially drain all funds from a contract.
This exploit had a significant impact on the DeFi ecosystem, with several decentralized finance projects suffering substantial losses. Decentralized exchange Ellipsis reported being affected by the attack, along with Alchemix’s alETH-ETH pool, JPEGd’s pETH-ETH pool, and Metronome’s sETH-ETH pool.
The news triggered panic across the DeFi community, leading to a surge of transactions across pools and a rescue operation initiated by white hat hackers. As a result of the incident, the utility token of Curve Finance, Curve DAO (CRV), saw a decline of over 5% in value. CRV’s liquidity had already been reduced in previous months, making it vulnerable to significant price swings.
It’s worth noting that other DeFi protocols have also experienced attacks in recent times, with a total of more than $204 million being lost through hacks and scams in the second quarter of 2023, according to a report by Web3 portfolio app De.Fi.