The BNB Smart Chain (BSC) was hit by copycat attacks caused by a vulnerability in the Vyper programming language. It mirrors the Curve Finance defi protocol exploit.
Blockchain security firm BlockSec revealed that as of July 30, approximately $73,000 worth of cryptocurrencies were stolen from the BSC through three separate exploits.
The latest development mirrored the ongoing exploits on Ethereum’s Curve Finance, which had already seen losses surpassing $41 million.
The sheet updated. Losses have already ~$41m!https://t.co/lCaS4uEPzm https://t.co/stQYNJFS7y pic.twitter.com/P7jG8NHnV4
— BlockSec (@BlockSecTeam) July 30, 2023
The vulnerability in question was found in Vyper versions 0.2.15, 0.2.16, and 0.3.0, which were used by various defi pools. The malfunctioning reentrancy lock in these versions enabled attackers to execute multiple functions simultaneously, leading to the possibility of draining all funds from affected contracts.
Vyper, the programming language used for many web3 projects and designed for the Ethereum Virtual Machine, is believed to be widely adopted by defi protocols.
Several DeFi projects bore the brunt of these attacks. Among them, Alchemix’s alETH-ETH reported outflows of $13.6 million, PEGd’s pETH-ETH pool suffered a loss of $11.4 million, Metronome’s sETH-ETH pool was hacked for $1.6 million, and over 32 million Curve DAO (CRV) tokens, worth more than $22 million, were drained in the past 24 hours.
Curve Finance, renowned for enabling the decentralized exchange of stablecoins within the Ethereum network, witnessed a sharp decline in its native CRV token’s value. The CRV token plummeted by 12.4% to $0.64 in the last 24hrs amid the chaos, raising concerns about potential liquidations, particularly for the founder of Curve, who reportedly held a borrowing position worth $70 million on Aave.
Since news of the exploits broke, the defi community has witnessed an intense battle between white hat and black hat hackers on-chain. Both groups have been trying to disrupt each other’s exploit attempts or their efforts to recover the stolen funds.
Amid the chaos, one potential white hat hacker, known as “c0ffebabe.eth,” managed to secure some funds for safekeeping. The hacker sent an on-chain message on July 30, urging affected protocols to get in touch to coordinate the return of funds.
5M returned back to @CurveFinance pic.twitter.com/BPAvE1ZOZY
— KGJR (@KGJRTG) July 30, 2023
To the relief of some victims, c0ffebabe.eth’s wallet successfully returned nearly 2,900 Ether (ETH) worth over $5 million to Curve through a transaction.
5M returned back to @CurveFinance pic.twitter.com/BPAvE1ZOZY
— KGJR (@KGJRTG) July 30, 2023
Moreover, another transaction revealed the movement of 1,000 ETH to a newly-created wallet, possibly their cold wallet, for securing the recovered funds.