Curve Finance’s liquidity pools have suffered multiple exploits due to a vulnerability in the Vyper programming language that was used by some of its pools. The exploits resulted in significant losses for several DeFi projects that integrated with Curve, totaling over $24 million. Curve Finance has acknowledged the issue and said that it was working on fixing it and updating the community. The exploits highlight the risks and challenges of DeFi, especially when it comes to smart contract security and code quality.
What is Curve Finance?
Curve Finance is an automated market maker (AMM) platform that allows users to trade and provide liquidity for stablecoins and other low-volatility tokens. Curve aims to offer low slippage, high capital efficiency, and attractive yields for liquidity providers. Curve also has a governance token called CRV, which can be staked or used to vote on protocol decisions.
What happened?
On July 30, 2023, several DeFi projects that used Curve’s liquidity pools reported that they were attacked by hackers who exploited a vulnerability in the Vyper code. The vulnerability allowed the attackers to manipulate the balances of the pools and withdraw more funds than they deposited. The projects affected by the exploits include:
- Conic Finance: A yield aggregator that lost $8.9 million worth of crypto.
- JPEG’d: An NFT lending protocol that lost $11 million worth of crypto.
- Metronome: A cross-chain cryptocurrency that lost $2.8 million worth of crypto.
- Alchemix: A synthetic asset platform that lost $1.4 million worth of crypto.
The total amount stolen from the exploits is estimated to be over $24 million. The attackers leveraged a vulnerability in the alETH/msETH/pETH pools on Curve, which used Vyper 0.2.15 as the programming language. Vyper is a Python-like language that was designed to be more secure and easier to audit than Solidity, the most widely used language for Ethereum smart contracts. However, Vyper has been criticized by some developers for being less expressive and less compatible with other tools and frameworks.
How did Curve Finance respond?
Curve Finance acknowledged the issue on Twitter and said that it was caused by a malfunctioning reentrancy lock in the Vyper code. A reentrancy lock is a mechanism that prevents a smart contract from being called again before it finishes executing. This is meant to prevent reentrancy attacks, which are a common type of exploit in DeFi where an attacker can repeatedly call a function and drain funds from a contract.
Curve Finance said that other pools that did not use Vyper were safe and that it was working on fixing the issue and updating the community as things developed. Curve also said that there was no wrongdoing on the side of the projects who integrated with its pools or the users of Vyper. Curve added that it was working with Vyper developers to find out what went wrong and how to prevent similar incidents in the future.
What are the implications?
The exploits on Curve Finance’s liquidity pools are another reminder of the risks and challenges involved in DeFi, especially when it comes to smart contract security and code quality. While DeFi offers many opportunities for innovation and financial inclusion, it also exposes users and developers to potential vulnerabilities and losses due to malicious actors or human errors.
The exploits also raise questions about the trade-offs between security and expressiveness in programming languages for smart contracts. While Vyper was intended to be a safer alternative to Solidity, it seems that it also introduced some unforeseen bugs and limitations that compromised its security. On the other hand, Solidity may offer more flexibility and compatibility, but it also requires more caution and testing to ensure its correctness.
The exploits may also affect the reputation and adoption of Curve Finance and its governance token CRV, which has dropped by over 19% in the past 24 hours, according to CoinGecko. Curve Finance is one of the largest DeFi platforms on Ethereum, with over $10 billion in total value locked (TVL), according to DeFi Pulse. However, it may face competition from other AMM platforms that offer more security or features for users and developers.
🤷♂️