Yesterday, late in the evening, Curve Finance suffered a reentry attack. Provisional accounts of this hack mentioned a disappearance of approximately $26 million. Except that the night was long for the Curve team, and the list of scraps too. To see the latest news, the sums stolen amount to 52 million dollars.
General panic around the Curve hack
The DeFi ecosystem is crying right now. After the report of a major attack on the Curve protocol, causing the loss of approximately 11 million dollars, things got worse.
” Update #PeckShieldAlert – There is $52M mined so far from Alchemix, JPEG’d, MetronomeDAO, deBridge, Ellipsis and Curve CRV-ETH. »
Some time ago, PeckShield advanced a total of $26.76 million stolen from Curve Finance.
According to BeInCrypto, this “reentrancy attack” did not only affect the stable pools of Curve. Damage has also been reported in other DeFi protocols like Ellipsis (huge BNB losses), JPEG’d ($11.4m), Alchemix ($13.6m), MetronomeDAO ($1.6m)… The ecosystem as a whole has tumbled, to the point of displaying a $2.3 billion drop in its TVL.
And to drive the point home, CRV lost 16% of its value in 24 hours. It was trading at $0.064 at press time. A great performance compared to the price of the Curve Sunday at 11:15 p.m., $0.59.
Vyper, the main culprit
The reentry attack that bled Curve Finance wouldn’t have happened if Viper carried out his mission. This Pythonic intelligent smart contract language for EVM presented vulnerabilities to the point of allowing these heavy losses.
” A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 were operated due to a malfunction of the reentry lock. We are assessing the situation and will update the community as it happens. “.
The other pools remain safe. »
” PSA: The Vyper versions 0.2.15, 0.2.16 and 0.3.0 are vulnerable malfunction of reentrancy locks. The investigation is ongoing but any project relying on these releases should contact us immediately.. »
CoinPediawhich took up the results of an investigation conducted by Ancilia, provides these details:
- 136 smart contracts were using Vyper 0.2.15;
- 98 of them are deployed on Vyper 0.2.16;
- And 226 smart contracts on Vyper 0.3.0.
All this comes froma faulty reentry lock conducive to massive and simultaneous transfers from other DeFi protocols.
The damage is done. And no one has learned any lessons from the multi-million dollar stolen EraLend reentry attack.
Curve Finance rescued by white hat hackers
Some analysts speculate that Curve’s attack may go beyond $70 million. If a majority of this jackpot is currently in the hands of ill-intentioned people, some of the funds have been recovered by good hackers, “whitehats”, and “MEV bots”.
A hacker whitehat holder of the address “cOffeebabe.eth » claimed to have returned 2,879 ETH ($5.4 million) to the deployment address reported by Curve.
But this noble initiative, coupled with the stability of crvUSD contracts, will not stop the hemorrhage of Curve Finance which recorded 32 million CRV token losses.
Many questions are being asked at the moment despite the belated attempts at repair by the CEO of Curve Finance. Michel Egorov has indeed made up for his team’s clumsiness by repaying 4.63 million USDT and depositing 16 million CRV on Aave. At this time, he would be in debt of 59.68 million USDT on Aave, with a health rate of 1.69, points out Metaverse Post.
In all of this, the attitude of white hat hackers is commendable. Like last time, Binance and other exchanges will also be able to reach out to avoid a bloodless DeFi. At least they’ll freeze the assets stolen from Curve Finance.
Receive a digest of news in the world of cryptocurrencies by subscribing to our new service of daily and weekly so you don’t miss any of the essential Tremplin.io!
