Curve Finance, a popular decentralized finance (DeFi) protocol for stablecoin trading, has been hit by an exploit that resulted in over $24 million worth of losses.
The exploit occurred on July 30 and affected several stable pools on Curve Finance that used Vyper, a programming language for smart contracts. According to Vyper, some versions of its compiler had a reentrancy bug that allowed attackers to drain funds from the pools.
Reentrancy is a type of vulnerability that allows an attacker to call a function multiple times before the first execution is finished, leading to unexpected outcomes. In this case, the attacker was able to withdraw more funds than they deposited, bypassing the reentrancy guard implemented by Vyper.
The affected pools included alUSD, sUSD, pBTC, and renBTC. The attacker managed to steal $13.6 million from Alchemix’s alUSD pool, $11.4 million from JPEGd’s sUSD pool, and smaller amounts from the other pools.
Curve Finance confirmed the exploit on Twitter and advised users to avoid using the affected pools until further notice. The team also said that they were working with security experts and white hat hackers to recover the funds and prevent further attacks.
The exploit had a negative impact on the price of CRV, the native token of Curve Finance, which dropped by 17% on the day and was trading at $0.61 at the time of writing.
This is not the first time that Curve Finance has been exploited. In February, an attacker used a flash loan to manipulate the price of DAI and sUSD on Curve Finance and stole $2.5 million from bZx’s Fulcrum protocol.
The exploit also highlights the risks of using Vyper as a programming language for smart contracts. Vyper is a Python-like language that aims to be simple and secure, but has been criticized for being immature and poorly audited. In November 2020, Vyper was removed from the Solidity compiler due to security issues.
The exploit also raises questions about the regulation and security of DeFi protocols, which have been growing rapidly in popularity and value. According to DeFi Pulse, the total value locked in DeFi protocols has reached over $80 billion, making them attractive targets for hackers and scammers.