CRV Token Vulnerability Exposes $100M in DeFi
CRV Token and Curve Finance, a key player in Ethereum’s DeFi ecosystem, faced a significant exploit due to a bug exposing over $100 million in cryptocurrency. The exploit, which occurred on July 30, targeted stable pools implemented using the Vyper programming language. It revealed vulnerabilities in Vyper versions 0.2.15, 0.2.16, and 0.3.0. A “re-entrancy” bug allowed hackers to drain stablecoin pools, severely affecting pricing and liquidity across various DeFi services.
Security firm Ancilia revealed that 136 contracts used Vyper 0.2.15 with re-entrancy protection, 98 contracts relied on Vyper 0.2.16, and 226 contracts used Vyper 0.3.0. Projects using these versions were advised to contact Vyper promptly for further action.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
Other pools are safe. https://t.co/eWy2d3cDDj
— Curve Finance (@CurveFinance) July 30, 2023
Preliminary investigations found that certain Vyper compiler iterations lacked proper re-entrancy guard implementation, making contracts susceptible to re-entrancy attacks that could deplete funds. Vyper, a pythonic language for the Ethereum Virtual Machine, shares similarities with Python, making it accessible to developers familiar with Python and entering the Web3 space.
Other projects using the Vyper language may also face similar vulnerabilities, and an investigation is ongoing.
The security breach impacted trading markets for Curve DAO’s CRV token, causing a -16.5% decline with the token trading at $0.615. This drop posed a risk of triggering a liquidation event on the founder of Curve’s $70 million borrowing position on Aave.