Various teams that forked Curve Finance code are now reporting exploits after an attacker discovered a vulnerability in an old compiler in the programming language Vyper.
Curve Finance is a decentralized exchange for stable swaps between stablecoins and crypto tokens such as Ethereum and Wrapped Ethereum (WETH).
The platform was exploited on Sunday for an estimated $52 million.
Beyond the damage done to Curve itself, the hack exposed a critical vulnerability in the wider DeFi ecosystem, specifically affecting smart contracts built using certain versions of the programming language Vyper.
This has had knock-on effects given how prevalent Vyper is used among various crypto projects–though much less than Solidity, OpenZeppelin’s head of solutions architecture Michael Lewellan told Decrypt.
According to a tweet from Vyper's team, contracts developed with Vyper versions 0.2.15, 0.2.16, and 0.3.0 are currently "vulnerable to malfunctioning reentrancy locks."
PSA: Vyper versions 0.2.15, 0.2.16 and 0.3.0 are vulnerable to malfunctioning reentrancy locks. The investigation is ongoing but any project relying on these versions should immediately reach out to us.
— Vyper (@vyperlang) July 30, 2023
The team strongly urges developers of other Vyper-based dApps to "immediately address" this issue. "This was not an issue in the protocols or dapps' code but an issue in Vyper itself—which is a minority EVM language, but has been around for a long time," solutions developer at Open Zeppelin Gustavo Gonzales told Decrypt.
Pseudonymous Vyper developer, señor doggo, suspects the involvement of "state-sponsored hackers" based on the level of resources, time, and expertise used in executing the hack and exposing the vulnerability with Curve smart contracts.
Officer’s Notes, an independent security researcher, told Decrypt that the Vyper smart contracts “may be vulnerable if two conditions were met.”
First, is that the contract is built using Vyper version 0.2.15. Second, it is that appropriate safeguards for add and removal of liquidity are not implemented in the code.
Certain type of Curve factory pool is encountering read-only reentrancy attack and causing a total loss of $11m(@JPEGd_69) + $13m(@AlchemixFi) + ...
Initial investigation founds that vyper compiler (0.2.15) doesn't implement the reentrancy guard correctly.
add_liquidity and… pic.twitter.com/avaHdtSFsm
— Tony KΞ (@tonyke_bot) July 30, 2023
Another issue that may have accelerated the exploit’s damage was that the bug’s details were posted on Twitter before the exploit had been mitigated.
This led “to some backlash due to this information being potentially used for further attacks,” Lewellan told Decrypt. “There are concerns in the ETH security community that communication of bugs needs to be more discreet.”
Curve forks report exploits
Curve protocol forks on other chains are also emerging with similar exploit reports.
Ellipsis Finance, an authorized Curve fork with $6.5 million in total deposits, per DeFiLlama data, tweeted this morning that a “small number of stablepools with BNB” were exploited.
A small number of stablepools with BNB using an old Vyper compiler have been exploited.
We are assessing the situation and will update the community on any further findings. https://t.co/pxkhRRSr5w
— Ellipsis (@Ellipsisfi) July 30, 2023
Curve Finance team also said the Tricrypto pool—composed of USDT, WBTC, and ETH—on Curve’s deployment on the layer-2 solution Arbitrum was also “potentially affected” but not exploited yet.
Auxo DAO, a decentralized yield-farming fund with total deposits worth $5.4 million, decided to remove liquidity from Curve and Convex Finance pools to “mitigate contagion risks.”
To mitigate contagion risks all positions have been promptly removed from Curve / Convex until further notice.
The treasury exposure to the @AlchemixFi alETH/ETH pool is 429.6 ETH. We are monitoring the situation, more information soon. https://t.co/wewmvWavwM
— Auxo (@AuxoDAO) July 30, 2023
Convex Finance is a DeFi application that offers yield optimization strategy for Curve’s CRV tokens with total deposits worth $1.382 billion, per DefiLlama data. Its liquidity has plummeted by 52.5% from $2.91 billion since yesterday after Curve’s exploit.
It has 298.3 million CRV tokens, according to a Dune dashboard, representing one-third of CRV circulating supply.
Usually, to earn fees and staking rewards from Curve, users need to lock CRV tokens for up to four years.
However, Convex bypasses the locking period by issuing a derivative cvxCRV to retain liquidity and enables the locking of CRV tokens to earn trading fees and claim boosted CRV without locking CRV.