DeFi Exchange Curve Finance Confirms Various Ethereum Pools Hacked

The Curve Finance team has confirmed which pools were affected in the latest multi-million dollar exploit due to a Vyper vulnerability.

•

This morning, Curve Finance said that apart from several Ethereum pools, an Arbitrum-based liquidity pool may have also been "potentially affected" over the weekend.

Curve Finance is a popular decentralized exchange (DEX), letting users swap like-assets such as Ethereum for Staked Ethereum, or Tether's USDT for Circle's USDC. It can be a helpful arbitrage tool for many traders should those assets decouple in price from one another.

Per initial reports, the platform was exploited on Sunday for over $24 million. However, blockchain security firm PeckShield has updated the stolen amount to $52 million as the hack unfolds in real-time.

The decentralized exchange’s team wrote in the tweet that three liquidity pools for tokens paired with Ethereum (ETH) and Curve governance token CRV, and several ERC-20 tokens issued on Alchemix (alETH), Metronome Synth (smETH), JPEG’d (pETH) “were hacked” due to an “issue in Vyper compiler” versions.

Vyper is a programming language for writing smart contracts on the Ethereum blockchain. The programming language’s core team tweeted this morning some older versions of the Vyper programming language were vulnerable to exploitation.

PSA: Vyper versions 0.2.15, 0.2.16 and 0.3.0 are vulnerable to malfunctioning reentrancy locks. The investigation is ongoing but any project relying on these versions should immediately reach out to us.

— Vyper (@vyperlang) July 30, 2023

A lead contributor for the programming language also took to Twitter, saying that the hackers likely spend "weeks to months to find" the vulnerability.

The latest tweet by Curve's team highlighted another knock-on effect on the Vyper-based liquidity pool on its deployment on the layer-2 solution Arbitrum. The team said that Tricrypto, made of three tokens: USDC, wBTC, and ETH was “potentially affected.”

The tweet read that while security experts like auditors and Vyper devs have not yet found a way for a “profitable exploit,” the pools remain vulnerable and advised liquidity providers to “exit that one.”

Elsewhere, another BNB Chain-based DEX Ellipsis has reported an exploit of stable swap pools on BNB Chain.

A small number of stablepools with BNB using an old Vyper compiler have been exploited.

We are assessing the situation and will update the community on any further findings. https://t.co/pxkhRRSr5w

— Ellipsis (@Ellipsisfi) July 30, 2023

South Korean crypto exchange Upbit announced the temporary suspension of deposits and withdrawals of CRV tokens as a precautionary measure.

The exchange wrote in the press release that, “Upbit will continue to monitor this situation, and members are advised to pay attention to the increase in price volatility of Curve.”