- Vyper vulnerabilities led to $47 million in losses in DeFi projects.
- Curve Finance drained 32 million CRV tokens.
- The Front-running MEV bot worsened losses for the JPEG’d project during the attack.
In a devastating blow to the decentralized finance (DeFi) ecosystem, several projects utilizing Vyper— an alternative programming language for Ethereum smart contracts, suffered significant losses, with attackers making off with over $47 million. The incidents occurred on July 30, targeting stable pools on Curve Finance, an automated market maker platform.
The vulnerabilities were rooted in Vyper’s 0.2.15, 0.2.16, and 0.3.0 versions, specifically related to malfunctioning reentrancy locks. Among the affected projects were decentralized exchange Ellipsis, Alchemix’s alETH-ETH, JPEG’d’s pETH-ETH pool, and Metronome’s sETH-ETH pool. Curve Finance’s swap pool also saw the draining of 32 million CRV tokens, valued at over $22 million, a fact confirmed by Curve Finance CEO Michael Egorov.
In response to the attacks, the founder of Curve Finance made a repayment to Aave of 4.63M USDT, and deposited $10.12 million worth of CRV as collateral. In turn, Aave took swift action by disabling the CRV borrowing function to prevent further exploitation of the vulnerability.
In-Depth Analysis Of The Vyper Vulnerability
The attacks were re-entry attacks, a common vector for hackers to exploit DeFi protocols. In which the attackers used the Vyper vulnerabilities to repeatedly enter the contract and siphon funds. Cybersecurity experts emphasize that proper design and development practices could mitigate such risks in the future.
During investigations, it was discovered that attackers used a maximal extractable value (MEV) bot to front-run JPEG’d. The bot executed a similar transaction before the attacker, making profits and increasing losses for affected projects.
Meanwhile, Vyper acknowledged the compiler’s failure on X. And it became evident that the issue wasn’t limited to a single project. Following the JPEG’d exploit, Alchemix and MetronomeDAO also lost $13.6 million and $1.6 million, respectively, in a similar manner.
The attacks have had a significant impact on the governance tokens of the affected projects. JPEG’d’s governance token, JPEG, experienced a sharp decline of 22.47% in value, reaching an all-time low of $0.000347. Similarly, Alchemix and MetronomeDAO are actively working to fix the issues in their liquidity pools, with MetronomeDAO describing the attack as “part of a broader set of exploits.”
Finally, As the investigation unfolds, affected projects are working tirelessly to rectify the vulnerabilities. And strengthen their security protocols to prevent similar attacks in the future.