DeFi platform Curve Finance of a potential exploit on Arbitrum’s tricrypto liquidity pool following last weekend’s multi-billion hack due to issues with the Vyper programming language.
While developers could not identify a profitable exploit on this Arbitrum LP, Curve’s team advised users to withdraw to avoid possible losses.
The decentralized exchange also confirmed successful attacks on four LP denominated in Ether pairs – CRV/ETH, alETH/ETH, msETH/ETH, and pETH/ETH.
$52 Million Hack On Curve Finance Pools
exploits on factory pools provided by decentralized finance protocols Alchemix, Metronome, and JPEGd due to a malfunctioning reentrancy vulnerability in Vyper, a compiler programming language.
According to one Vyper contributor, the hacker exploited an obscure attack vector. “they dug *deep* in our release history to find an exploitable issue for a large protocol with many millions at stake” said @fubuloubu on Twitter.
I think it’s on the order of weeks to months to find. The execution was fairly coordinated, perhaps by a small group or team. We might find more information soon, but I think it’s reasonable to suspect that state-sponsored hackers could be involved, due to the resources invested
Over the weekend, exploiters and ethical hackers battled for Ethereum block space as Curve Finance experience outflows in the millions. One attacker lost their loot to an MEV bot operator seeking to safeguard Curve funds amid the incident.
The MEV bot operator identified by their ENS tag “c0ffeebabe.eth” returned 2,879 ETH worth $5.4 million to Curve’s deployer contract, per security outpost PeckShield.