Curve DAO token lost 17% of its value under a massive attack. A series of exploits targeting DeFi projects in Curve Finance, leaving the platform in a vulnerable position with $100 million worth of cryptocurrency at risk.
Curve, one of the most popular decentralized finance (DeFi) protocol, announced a series of CRV pools got exploited due to a smart contract vulnerability called “reentrancy.”
The attack targeted factory pool, a model that allows projects or individuals to launch their own liquidity pool through Curve’s infrastructure.
“A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are dealing with the situation and will update the community as things develop,” according to Curve Finance’s announcement.
Jump Ahead To:
Curve’s DeFi Projects Exploited
The incident was initiated on Sunday evening with a Curve’s liquidity pool (pETH-ETH) reportedly under attack. Up to $11 worth of cryptocurrency was drained from the NFT lending protocol JPEG’d. Shortly after the news broke out, the issue resurfaced on the sETH-ETH pool.
- Other DeFi projects such as lchemix, Debridge, and Elippsis, reportedly suffered the same exploit. The exploits affected several stablecoin pools (alETH/msETH/pETH) using the Vyper 0.2.15 programming language.
- According to blockchain security service provider BlockSec, the loss is estimated at approximately $42 million at the writing time and the potential damage potentially makes up to $100 million given the use of Vyper in other projects.
- However, Vyper says only versions 0.2.15, 0.2.16, and 0.3.0 are at risk when reentrancy prevention is unavailable.
- BlockSec stated that that reentrancy attack was linked to the use of ‘use_eth’ and potentially put the WETH-related pools at risk. To mitigate the impact, Mimaklas, a member of the project team, said all affected groups had been liquidated by security experts.
- A reentrancy issue refers to a vulnerability in smart contracts that can be exploited by malicious actors to drain the contract’s funds. Reentrancy occurs when a smart contract function makes an external call to another contract, and the second contract then calls back to the first contract before the first contract has had a chance to update its state.
- This malicious approach allows the attacker to call the withdraw function repeatedly, even though the contract’s balance has already been updated. As a result, the attacker can withdraw the same funds multiple times, effectively draining the contract’s balance.
Reentrancy attacks are a common vulnerability in decentralized autonomous organizations (DAOs). These attacks exploit a flaw in the way that DAOs manage their state, allowing an attacker to withdraw funds from the DAO without actually providing any value in return.
There are a number of ways to prevent reentrancy attacks, such as using a mutex to lock the contract’s state during an external call or using a refund mechanism to return any funds that were sent to the contract before the state was updated.
The first and most known reentrancy attack was allegedly carried out in 2016 against The DAO, a popular DAO that was hacked for over $50 million worth of Ether.
Since then, there have been a number of other reentrancy attacks, including the one that targeted the Populous smart contract in 2017 and the one that occurred on CREAM Finance in 2021.
Curve DAO token ($CRV) lost more than 17% of its value following the incident. Other altcoins experienced small losses, except Optimisim ($OP). The cryptocurrency has increased 6% in the last 24 hours.
The flagship cryptocurrency Bitcoin had dropped below $29,300 before moving back above $29,400, according to data from CoinMarketCap. While hacks are common, this one looks like it could cost users a lot of money.
While cryptos do offer many advantages, the security side of the market is still being refined. Hacks like this demonstrate that there is still more work to be done.
The post Curve Finance Exploit: $100M Worth of Crypto at Risk, $CRV Drops by 17% appeared first on Blockonomi.