On Sunday, attackers targeted decentralized finance protocols, stealing over $24 million in cryptocurrency. The attackers exploited a vulnerability in Curve, the automated market maker platform’s liquidity pools.
According to Curve on Twitter, the vulnerability was traced back to Vyper, an alternative third-party programming language for Ethereum smart contracts. Curve confirmed that other liquidity pools that do not use this language remain unaffected and secure.
Decurity, a decentralized finance security firm, revealed that the NFT lending protocol JPEG’d suffered an $11 million cryptocurrency theft. JPEG’d was one of the first to detect the problem in its Curve pool.
Exploit’s Root Cause
Curve initially referred to the vulnerability as a typical “re-entrance” attack in a Tweet that has since been deleted. Re-entrancy attacks occur when a smart contract interacts with another, leading to incomplete execution.
Re-entrancy vulnerabilities enable attackers to execute multiple calls in a single function, leading smart contracts to calculate incorrect balances. The $55 million 2016 DAO hack on Ethereum is a notable example.
Curve initially responded to a Twitter account with a retracted statement, but later clarified their error. Curve confirmed that no wrongdoing occurred for projects integrating Vyper or its users.
According to Vyper on Twitter, the language’s compiler failed, affecting re-entry guards. These guards, included in the projects’ code, are designed to protect against re-entry attacks but were ineffective.
This prevented re-entry guards—protections that were included in the projects’ code and should guard against re-entry attacks—from working, Meir Dolev said to Decrypt. Meir Dolev is the co-founder and CTO of cybersecurity firm Cyvers