Curve DAO faced a significant setback as millions of CRV tokens were pilfered just moments before a white hat rescue operation aimed at securing the funds, as revealed by blockchain data and Curve contributor Banteg.
According to a report, approximately 7 million CRV tokens and $14 million worth of wrapped ether (WETH) were lost during the exploit. The breach occurred within the CRV/ETH pool on Curve Finance, a prominent decentralized exchange (DEX) renowned for its streamlined stablecoin trading capabilities.
The platform features a diverse array of pools that facilitate trading between various tokens, primarily focusing on stablecoins while accommodating other digital assets.
Curve DAO Faces Vulnerability Impacting Multiple Pools
Curve DAO has been struck by a critical vulnerability that has repercussions across various pools, stemming from a bug found in earlier versions of the Vyper programming language.
“crv/eth pool drained minutes before a white hack operation,” Banteg wrote on Twitter, shedding light on the unfortunate incident.
crv/eth pool drained minutes before a whitehack operation 🙁https://t.co/rhALBzkTEi
— banteg (@bantg) July 30, 2023
The Curve DAO situation has drawn security analysts’ attention, with BlockSec revealing that the renowned cryptocurrency exchange, Binance, funded the wallet employed in the attack. This revelation has raised concerns about the potential risks lurking in the DeFi ecosystem.
Vyper, in response to the issue, has identified the specific versions prone to the malfunctioning reentrancy locks—0.2.15, 0.2.16, and 0.3.0. Projects relying on these vulnerable versions have been urged to contact Vyper for further assistance urgently.
PSA: Vyper versions 0.2.15, 0.2.16 and 0.3.0 are vulnerable to malfunctioning reentrancy locks. The investigation is ongoing but any project relying on these versions should immediately reach out to us.
— Vyper (@vyperlang) July 30, 2023
Curve DAO Breach: Unveiling The Flaw
As security firm Ancilia probes deeper into the situation, the full scope of the vulnerability comes to light. According to their analysis, many contracts were exposed to potential risks.
Specifically, 136 contracts relied on Vyper 0.2.15 with reentrant protection, 98 contracts were built using Vyper 0.2.16, and 226 contracts employed Vyper 0.3.0.
We did a fast run on github.
136 contracts found compiled with vyper 0.2.15 and used reentrant protection;
98 contracts found with 0.2.16 version
226 contracts found with 0.3.0 version— Ancilia, Inc. (@AnciliaInc) July 30, 2023
As the investigation progresses, the root cause of the vulnerability has been unveiled, shedding light on the extent of the risk. Specific versions of the Vyper compiler were found to need proper implementation of the reentrancy guard.
This critical oversight allows for the simultaneous execution of multiple functions, bypassing the intended locking mechanism in affected contracts. As a result, malicious actors could unleash reentrancy attacks capable of draining all funds from vulnerable contracts.
Meanwhile, Curve DAO (CRV) price is in red in all timeframes, losing nearly 13% in the last 24 hours. In the last week, the token has shed 14% of its value, figures from crypto market tracker Coingecko shows.
Featured image from Bill Hinton/Getty Images