- The Vyper compiler version 0.2.15, 0.2.16, and 0.3.0 confirmed that it couldn’t properly apply the reentrancy lock.
- As expected, attackers exploited this vulnerability and continuously called the function on a series of protocols that used the affected versions of the Vyper compiler.
- A statement on Curve’s website revealed that affected pools include alETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH.
Due to an error affecting the Ethereum Virtual Machine (EVM) compiler Vyper, a hack attack was launched on the Curve Finance pools.
Vyper Bug Causes Significant Loss at Curve
On July 30th, the decentralized finance (DeFi) sector of the crypto ecosystem faced another challenge due to an error affecting the Ethereum Virtual Machine (EVM) compiler Vyper during intraday trading. The EVM compiler is a program that converts code written in high-level programming languages like Solidity into bytecode that the EVM can execute.
The widely used Vyper compiler within the ecosystem is a Python-based compiler for the Vyper programming language. It takes Vyper code as input and transforms it into executable bytecode for the Ethereum Virtual Machine (EVM).
On July 30th, Vyper confirmed that the compiler versions 0.2.15, 0.2.16, and 0.3.0 couldn’t properly apply the reentrancy lock. Reentrancy lock is a security mechanism in smart contracts and decentralized applications (DApps) that prevents a function in a smart contract from being called multiple times before the previous call is completed. This security measure is implemented to prevent malicious individuals from repeatedly calling smart contract functions that withdraw funds.
As expected, attackers exploited this vulnerability and continuously called the function on a series of protocols that used the affected versions of the Vyper compiler. The attackers primarily targeted Curve Finance pools, and initial estimates suggest losses of up to $70 million.
Curve pools are a type of automated market maker designed to provide efficient and low-cost trading for stablecoins. According to a statement on Curve’s website, the affected pools include alETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH.
To prevent further hacks and fund losses, Curve stated that “all affected pools are either drained or protected by white hats, and the team is assessing the situation with affected teams.”
CRV Token Faces Troubles
Curve’s founder, Michael Egorov, also found himself in the midst of this turmoil. Previously, Egorov used a portion of his CRV tokens as collateral to borrow from various credit protocols, with the largest debt taken from Aave.
His collateral was at risk of being liquidated. The continuous decline in CRV’s price could lead to a drop below the liquidation threshold of his collateral. When news of the attack spread, many traders sold their CRV holdings.
According to decentralized exchanges, the CRV price only dipped to a low of $0.583 but plummeted to as low as $0.109 on the blockchain. After the hack on the CRV/ETH pool, liquidity on the blockchain was severely reduced, leading to price fluctuations.
Egorov had been making regular repayments on his loans and had taken precautions against the risk of loan liquidation in the event of further CRV price declines. However, the depletion of liquidity in the CRV/ETH pool exposed his collateral to automatic liquidation risk by Aave.
Furthermore, lenders have started to withdraw their pools from credit protocols to protect against losses. For example, Aave’s USDT pool usage remains above 50%. The borrowing rate has exceeded 90%, putting Egorov’s position at risk if rates do not decrease in the coming days.
As mentioned by ASXN, a digital asset research firm, attackers who have stolen CRV tokens may “dump” them on the protocol’s CRV/ETH pool, further reducing the token’s value. In this scenario, Egorov would be at risk of liquidation.
Currently, CRV is trading at $0.6512. It has experienced a 12% decline in the last 24 hours, making it the biggest loser among tokens during this period. On the daily chart, CRV sales continue. The Relative Strength Index and Money Flow Index indicate that CRV is currently oversold. Similarly, the Chaikin Money Flow is resting below the zero line, confirming an increased liquidity outflow from the CRV market.
