Upbit, a South Korean cryptocurrency exchange, has temporarily suspended deposits and withdrawals of CRV, the governance token of Curve Finance, a decentralized exchange for stablecoins. The move comes as hackers over the weekend exploited a ‘re-entrancy’ bug in Vyper to steal millions of dollars.

Curve Suffers Hacking

Reentrancy is a type of vulnerability in smart contracts that enables attackers to make repeated calls to a protocol, creating the opportunity to steal funds from such smart contracts or execute other malicious actions. On the other hand, Vyper is a Python-like language for the Ethereum Virtual Machine (EVM), which is a software that runs on Ethereum and handles the blockchain’s smart contracts system.

In an announcement released today (Monday), Upbit explained that it took the decision to halt the withdrawal of CRV in order “to ensure the safety of digital asset transactions.”

“Today, certain vulnerabilities have been discovered in some of the stablecoin pools associated with Curve (CRV). As a result, CRV is currently experiencing significant volatility. We advise exercising caution when considering any investments related to CRV,” Upbit stated.

Vyper announced the exploit earlier yesterday (Sunday), noting that certain versions of its language were vulnerable to ‘malfunctioning reentrancy locks’. Curve Finance also followed up with an update, saying the event affected 'a number of stable pools.

A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.

Other pools are safe. https://t.co/eWy2d3cDDj

— Curve Finance (@CurveFinance) July 30, 2023

According to Cointelegraph, Michael Egorov, Curve Finance’s CEO confirmed through a Telegram Channel that 32 million CRV tokens worth over $22 million were stolen. However, BlockSec, a smart contracts audit platform, puts the figure at over $41 million.

The sheet updated. Losses have already ~$41m!https://t.co/lCaS4uEPzm https://t.co/stQYNJFS7y pic.twitter.com/P7jG8NHnV4

— BlockSec (@BlockSecTeam) July 30, 2023

Furthermore, Huobi Global estimated that losses from the attack were up to $52 million. The Seychelles-based crypto exchange added that it was closely monitoring the situation.

#DeFi projects: #Curve's JPED'd: pETH-ETH pool, & Alchemix, & JPEG'd, faced attacks resulting in a $52M loss. Your asset security is our top priority. We are monitoring the situation closely.#Huobi supports RWA tokens such as like $MKR, $COMP, $CRV, #WSTUSDT, and $TRX . Trade… pic.twitter.com/2YHGaFuGkc

— Huobi (@HuobiGlobal) July 31, 2023