Today Curve, DeFi's second largest DEX by TVL according to DeFillama, was exploited via a bug in the Vyper compiler used for multiple liquidity pools. This lead to the alETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH pools having a terrible. horrible, not good, very bad day, with at least $24 million dollars lost. At the time of writing the price for the CRV token is down 14.84% on the day.
What we know so far...
"Correct: it's just typical reentrancy and price manipulation. Not read only"
The specific problem appears to involve a "reentrancy" exploit. The website Hackernoon describes this type of exploit as one of the most destructive attacks that can occur at the smart contract level.
A reentrancy attack occurs when a function makes an external call to another untrusted contract. Then the untrusted contract makes a recursive call back to the original function in an attempt to drain funds.
When the contract fails to update its state before sending funds, the attacker can continuously call the withdraw function to drain the contract’s funds.
The teams of all protocols involved in the pools listed (Alchemix, JPEG'd and Metrone) have all taken to Twitter giving statements about their own personal investigations into the matter, and ensuring users that their own smart contracts are still safu.
For now, it seems that exploit is constrained within Curve pools that used this specific Vyper compiler (0.2.15) for their smart contracts.
Is this just the beginning?
I imagine that this is only the beginning of the Vyper bug / reentrancy contagion, since many dapps see Curve as an industry leader, which creates and sets best practices.
Another X poster shares screenshots of what appears to be the same exploit occuring on BNB Chain. In one of the screenshots, the Horizon DEX is mentioned, which recently launched as the main DEX (by TVL) on Linea, the new L2 by the Consyensus team (the folks behind Metamask).
Be Active - Be Safe
Of course none of this is financial advice, we don't do that here, but now is the time to be vigilant and remove funds from any pools on similar DEXs until this whole mess is cleared up. Better to be safe than sorry.
You can find a list of forks of Curve by visiting the Curve page on DeFillama and viewing the list of competitors. While tokens and pools vary from chain to chain, competitors forked directly from Curve run a higher risk of suffering from the same exploit.
Posted Using LeoFinance Alpha
Posted Using LeoFinance Alpha
Posted Using LeoFinance Alpha