On a fateful Sunday morning, Curve Finance, a prominent decentralized exchange (DEX) in decentralized finance (DeFi), fell victim to a major security breach, resulting in a staggering loss of millions of dollars. Curve Finance allows users to exchange similar assets, such as Ethereum for Staked Ethereum or Tether’s USDT for Circle’s USDC. This platform serves as a valuable arbitrage tool for traders, particularly when these assets experience price decoupling from one another.
The Exploits and Their Impact
The hack occurred on a Sunday morning, causing a significant loss of funds for various liquidity pools on the Curve Finance platform. The attackers managed to drain approximately $52 million, impacting multiple pools, including Alchemix, Pendle, and Metronome.
On July 30th, around 9:30 am ET, the hackers launched their attack, exploiting the JPEG’d’s pETH-ETH liquidity pool and stealing more than $11 million. However, there were doubts about whether this was done by a Miner Extractable Value (MEV) searcher trying to get ahead. Shortly after, four more attacks occurred, possibly orchestrated by different individuals. These attacks targeted the liquidity pools of Alchemix’s alETH-ETH, the CRV/ETH pool (twice), Pendle’s pETH-ETH, and Metronome’s msETH-ETH, leading to a total loss of over $52 million. Following this news, Curve’s CRV governance and rewards token fell by 31% to $0.50 and is currently trading around $0.58.
The 0-day Bug and Compiler Vulnerability
Shortly after the attacks, Dr. Laurence Day, founder of Wildcat Finance and an expert on smart contract exploits, discovered the root cause of the thefts. The attackers had exploited a zero-day vulnerability in specific versions of the Vyper compiler, the programming language used for multiple contracts on Curve Finance. The vulnerability was related to the failure of “reentrancy” preventions, a common exploit vector in smart contracts. The discovery triggered discussions among various development teams, with some pointing fingers at each other.
Alchemix’s Response and Damage Control
In the wake of the attack, Alchemix, one of the hardest-hit protocols, acted swiftly to prevent further exploitation. According to a tweet from the Alchemix development team, an attacker was able to seize 5,000 ETH from the alETH-ETH pool, potentially causing the alETH asset to be partially unbacked. The extent of the damage is unclear; two attacks on the alETH drained over $30 million, but one may have been a whitehat operation. Responding to this attack, they promptly paused affected contracts to mitigate the impact. However, despite their efforts, the full extent of the damage remains to be determined.
Possible Contagion and Ripple Effects
Beyond the immediate economic impact of the attacks, there were concerns about potential ripple effects throughout the DeFi ecosystem. Founder Michael Egorov’s $60 million Aave V2 loan, which relied heavily on CRV tokens, was of particular interest. This sizable position became a potential target for future attacks. However, Egorov’s proactive measures helped stabilize the position, avoiding further damage.
Despite the severity of the attack, there were some positive developments in the recovery process. White hat hackers, driven by the desire to help the affected community, took action to retrieve a portion of the stolen funds, thereby preventing further losses. A maximal extractable value bot operator with the username “c0ffeebabe.eth” used a front-running bot against a malicious hacker to secure 2,879 ETH valued at around $5.4 million and returned it to Curve Finance.
Curve Finance’s recent security breach served as a wake-up call for the DeFi ecosystem, highlighting platforms’ ongoing challenges in securing their smart contracts against sophisticated attackers. While the attack had significant economic implications, the response from ethical hackers and the recovery efforts provide hope for mitigating the impact of such incidents in the future. As the DeFi space grows, collaboration among all stakeholders, including developers, security experts, and users, is crucial to enhance security measures and safeguard the ecosystem from similar exploits.