DeFi projects continue to be a popular target of attack for advanced hackers, as a number of finance pools associated with Curve were hit on July 31 for a total loss of about $61 million. The attack appears to have been the result of a vulnerability found in certain versions of the Vyper programming language used for Ethereum smart contracts.
Adding to the total damage was a rug pull involving the trendy BALD coin, which saw a massive surge of interest following its late July introduction. After the coin mooned for two days, the anonymous creator suddenly pulled $12.5 million out of the exchange and immediately crashed the price.
Bloomberg estimates that a total of $1.5 billion was pulled from the ecosystem as traders were scared off by the two events, and a fresh set of questions have been raised about the independence and long-term viability of DeFi projects.
Curve finance pools compromised by programming language flaw
The Curve attack was caused by a vulnerability in versions 0.2.15, 0.2.16 and 0.3.0 of Vyper. This impacted several DeFi projects, mostly stable pools with substantial holdings. These versions of Vyper incorrectly implemented a reentrancy guard that locks contracts to prevent multiple functions from being executed at the same time.
The largest single loss in this attack campaign was 32 million Curve DAO (CRV) tokens taken from the organization’s swap pool, with a value of about $22 million. Tens of millions of dollars in Alchemix’s alETH-ETH and JPEGd’s pETH-ETH were also taken along with raids on a number of smaller finance pools holding Binance Coin (BNB).
The total financial damage could extend well beyond the known thefts from finance pools, however. It is possible that all pools with wrapped Ether (WETH) are exposed, due to the nature of the vulnerability. WETH is used to bridge trades of ETH and ERC-20 tokens, and is pegged 1:1 at whatever the current value of ETH is.
Additionally, 47% of CRV was being used by Curve founder Michael Egorov as collateral on a total of $100 million in loans. However, Egorov has since sold some 39 million CRV to other movers and shakers in DeFi projects to stabilize his position. CRV has seen a major dip in value but did not zero out, and crvUSA was similarly saved from depegging.
Curve is also offering a 10% bounty on the recovery of any stolen funds with a “no questions asked” guarantee, and some takers (both apparent thieves and white hat hackers) have already stepped forward with a cumulative sum of over $10 million of the stolen money. As of August 6, the bounty is being expanded to information leading to the identification and conviction of any guilty parties. Interested parties have been asked to reach out to “curvenegotiation@protonmail.com” with any pertinent information.
Losses from DeFi projects paired with major coin scam to start off August
Toward the end of July, an anonymous developer launched a joke coin called BALD (referencing Coinbase CEO Brian Armstrong) on the new and experimental Base OP Stack. Between July 29 and 30 the coin price spiked by 40,000% as it became a meme purchase. The creator wasted no time taking advantage of the situation, pulling $12.5 million in liquidity off of the exchange and immediately crashing the coin.
This drained the LeetSwap finance pools, which were then further abused on July 31 by another hack of a smart contract vulnerability. The attacker had access to about $630,000 in digital assets, though over half of this has now been secured from finance pools that the hacker had not yet accessed.
The BALD rug pull was probably not a planned scam from the beginning, but the opportunistic creator tweeted on August 1 that they would not return the liquidity to DeFi projects until a reputable and more secure decentralized exchange was established, and would then only offer up a “modest amount.”
In the long term the incident will probably not harm the fortunes of Base, which is still effectively in a beta state. The collection of incidents to close out July has led to community calls for a general improvement of the security of DeFi projects, however, such as better code reviews and more bug bounty programs. There have also long been calls for some sort of trusted third parties to be established to audit smart contract protocols, as even AI-driven tools are not proving entirely equal to the task.
And this string of incidents have created concern that the individual decisions and movements of “whales” in the ecosystem’s finance pools, sometimes paired with the actions of opportunistic bots, still carries far too much weight among DeFi projects that were meant to be truly beyond such central sources of influence.