On July 30, the decentralized finance (DeFi) space faced a significant setback as attackers exploited vulnerabilities in multiple stable pools on Curve Finance, along with several other DeFi projects. The aftermath of the attack left the ecosystem reeling from losses amounting to a staggering $24 million.
The root cause of the exploit was traced back to specific versions (0.2.15, 0.2.16, and 0.3.0) of the Vyper compiler, a Python-based programming language used for creating smart contracts on the Ethereum blockchain. These versions had a flaw related to "malfunctioning reentrancy locks," which are vital security features designed to prevent reentrancy attacks, a type of attack where an attacker repeatedly calls a function in a smart contract before the initial call is completed, potentially leading to unexpected behavior in the contract.
The vulnerability allowed the attackers to bypass the intended protections in the affected contracts, resulting in an unauthorized draining of funds from the targeted pools. This swift and impactful attack sent shockwaves through the DeFi community, raising serious concerns about security practices within the space.
Several prominent DeFi platforms were hit hard by the exploit. Ellipsis, a decentralized exchange, suffered significant losses due to the exploitation of specific stable pools containing Binance Coin (BNB). Alchemix's alETH-ETH pool experienced a loss of $13.6 million, and JPEG’d, an NFT lending protocol, had approximately $11 million worth of cryptocurrency stolen according to Decurity. The incident affected the DeFi community's confidence in these platforms, causing JPEG’d governance token (JPEG) to plummet by 23%, reaching an all-time low of $0.000347.
The problem extended beyond JPEG’d, as Alchemix and Metronome DAO suffered losses of $13.6 million and $1.6 million, respectively, in a similar fashion shortly after the attack. Alchemix publicly acknowledged on Twitter that they are diligently working to resolve issues with their liquidity pool. While, MetronomeDAO stated on Twitter that their investigation into the incident is ongoing, considering it as part of a larger series of exploits.
The attacker in JPEG’d's case was front-run by a maximal extractable value (MEV) bot, which identified the attacker's transaction and executed a similar transaction ahead of them.
The responsibility for the vulnerability was attributed to the Vyper compiler, which failed to compile the code properly in certain versions. Consequently, re-entry guards, crucial protections included in the projects' code to guard against reentrancy attacks, failed to work as intended.
The incident served as a critical reminder of the risks associated with vulnerabilities in smart contract code and their potential impact on the broader DeFi market. It also emphasized the importance of responsible disclosure and collaborative responses within the community. In the aftermath of the attack, white hat hackers and security experts united to assess the damage and initiate a rescue operation to minimize further losses.
Vyper, the creators of the affected compiler versions, acknowledged the seriousness of the situation and urged all projects using those vulnerable versions to take immediate action. They stressed the need for developers to proactively update their smart contract code to more secure versions of the compiler.
As the DeFi ecosystem investigated the incident, there was heightened activity across various pools as users and project teams sought to protect their assets from potential follow-up attacks. It also sparked discussions within the DeFi community about the necessity for more comprehensive security audits and bug bounty programs to proactively detect and address vulnerabilities. As DeFi evolves, the emphasis on security practices and code audits will become increasingly critical to protect against potential exploits.