As a result of a vulnerability in Vyper, decentralized finances (DeFi) protocols have been subjected to extensive stress tests. A series of pools that used Vyper 0.2.15, 0.2.16, and 0.3.0 were exploited due to the malfunctioning reentrancy lock, which targeted a minimum of four liquidity pools on Curve Finance.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
Other pools are safe. https://t.co/eWy2d3cDDj
— Curve Finance (@CurveFinance) July 30, 2023
Right after the exploit, Curve highlighted that the affected pools were aETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH, and other pools except them remained safe. The auditing firm for smart contracts, Blocksec, suggested that reentrancy might place all pools with wrapped Ether at risk.
Please note that this reentrancy issue is associated with the use of 'use_eth', which could potentially place the WETH-related pools in jeopardy! @CurveFinance , please DM us if you need any help. https://t.co/vjc1RRce7w pic.twitter.com/Wz8DXJZK7Y
— BlockSec (@BlockSecTeam) July 30, 2023
BNB Chain Gets Hit with a Copycat Vyper Attack
The BNB Chain has recently suffered a series of copycat exploits following the discovery of a vulnerability in the Vyper programming language. Amid the series of exploits carried out on the Ethereum chain, Blocksec reported that cryptocurrencies worth $73,000 were stolen. It is a fact that the programming language is most widely used for Web3 projects and was designed for EVMs. Currently, it is widely speculated that other protocols using the same versions might be affected.
Since the news of the exploit started making its rounds, white hat, and black hat hackers have been involved in disrupting each other’s additional exploit attempts or efforts of recovering the stolen funds. However, a white hat hacker was able to get a hold of some of the funds for safekeeping. They sent an on-chain message to the exploited protocols asking them to contact them in hopes of organizing the return of stolen funds.
DeFi Curve Finance Pools Continue to Suffer
On the other hand, Curve Finance had to suffer a loss of almost $47 million in a reentrancy attack. Based on the findings of the initial investigation, it has come to light that selective versions of the Vyper compiler incorrectly implement the reentrancy guard, which prevents multiple functions from being executed at the same time by a contract. Reentrancy attacks are usually capable of draining all funds from a certain contract.
The news of the exploits sent major shockwaves throughout the crypto industry, which resulted in a wave of transactions across numerous pools, and a rescue operation from white hat hackers. The current situation seems to be dire for Curve as its native token, CRV has dropped by a staggering 15.67% following the attack. The decline has pushed the trading price of the token down to $0.6215, and the market cap currently stands at the $552 million mark.