Several stable pools on Curve Finance using Vyper were exploited on July 30, with losses reaching $24 million at the time of writing. According to Vyper, its 0.2.15, 0.2.16 and 0.3.0 versions are vulnerable to malfunctioning reentrancy locks.
“The investigation is ongoing but any project relying on these versions should immediately reach out to us,” Vyper wrote on X.
We’re running a large white hat rescue operation. Please reach out if you think you’re affected as a project. https://t.co/tssWcRHg35
— sudo rm -rf –no-preserve-root / (@pcaversaccio) July 30, 2023
According to initial investigation, some versions of the Vyper compiler do not correctly implement the reentrancy guard, which prevents multiple functions from being executed at the same time by locking a contract. Reentrancy attacks can potentially drain all funds from a contract.
A number of decentralized finance projects were affected by the attack. Decentralized exchange Ellipsis reported that a small number of stable pools with BNB were exploited using an old Vyper compiler. Alchemix also witnessed $13.6 million outflow, along with $11.4 million exploited on JPEGd’s.
Curve Finance is a DeFi protocol that enables the decentralized exchange (DEX) of stablecoins within Ethereum.
This is a developing story, and further information will be added as it becomes available.