Several Curve Finance liquidity pools were attacked on July 30 due to a vulnerability found in the Vyper programming language. Vyper is a contract programming language created for the Ethereum Virtual Machine (EVM).
Curve Finance is one of the key decentralized finance (DeFi) protocols due to its key liquidity services, and the code vulnerability has put nearly $100 million worth of digital assets at risk.
The vulnerability was found in the version 0.2.15, 0.2.16 and 0.3.0, leading to a malfunctioning reentrancy lock. As a result, millions were drained from four Curve pools, namely aETH/ETH, msETH/ETH, pETH/ETH and CRV/ETH. The flaw in three of its variants may have an effect on a number of other protocols.
The price of the native token of Curve Finance (CRV) collapsed on the DeFi market due to the significant draining of several of its pools, however, it was eventually saved by the centralized exchange price feed. CRV price hit $0.086 on decentralized exchanges (DEX) but was trading at $0.60 on centralized exchanges (CEX), thus saving the price of the native token from collapsing to zero.
Curve pools use Chainlink’s oracle system that incorporates several price feeds including centralized exchanges as well. If not for the CEX price feed the Curve Finance would have collapsed. This ironic incident drew the attention of Binance CEO Changpeng Zhao as well who chuckled at the fact that in the end, it was a Cex price feed that saved the DeFi ecosystem.
Zho noted that Binane was not impacted by the Vyper vulnerability as the crypto exchange has updated the code to the latest version and reminded everyone of the importance of code libraries upgradation.
The bug in the earlier versions of the Vyper code is believed to be at least 1.5 years old and the exploiter is believed to have dug *deep* in the release history to find an exploitable issue for a large protocol with many millions at stake. A Vyper program contributor on Twitter suggests the amount of time and resources put into the exploit indicates it might be a state-sponsored attack.
The content on this website comes from the Internet. Due to the inconvenience of proofreading the authenticity and accuracy of the copyright or content of some content, it may be temporarily impossible to confirm the authenticity and accuracy of the copyright or content. For copyright issues or other ssues caused by this, please Call or email this site. It will be deleted or changed immediately after verification.