简体中文
繁體中文
English
Pусский
日本語
ภาษาไทย
Tiếng Việt
Bahasa Indonesia
Español
हिन्दी
Filippiiniläinen
Français
Deutsch
Português
Türkçe
한국어
العربية
Abstract:In the aftermath of an exploit that resulted in a staggering $41 million loss on Curve Finance, concerns arise over the vulnerability of smart contracts built with certain versions of the programming language Vyper, affecting not only Curve but other related protocols and DeFi projects.
Multiple teams that have forked the Curve Finance code are now reporting exploits after a hacker discovered a vulnerability in an old compiler used in the programming language Vyper, resulting in an estimated $41 million being exploited from the Curve Finance decentralized exchange, raising concerns about the vulnerability in the broader DeFi ecosystem, specifically affecting smart contracts built with certain versions of Vyper, which is commonly used in various crypto projects but less prevalent than Solidity, according to Michael Lewellan, OpenZeppelin's head of solutions architecture.
Vyper's team tweeted those contracts developed with versions 0.2.15, 0.2.16, and 0.3.0 of the language are currently “vulnerable to malfunctioning reentrancy locks,” urging developers of other Vyper-based decentralized applications (dApps) to address the issue immediately, as the problem lies within Vyper itself, which has been in existence for a considerable time, explained Gustavo Gonzales, a solutions developer at Open Zeppelin.
The hack's execution and exposure of Curve's smart contract vulnerability have led some, like the pseudonymous Vyper developer “señor doggo,” to suspect the involvement of “state-sponsored hackers” due to the level of resources, time, and expertise employed.
The issue affects Vyper-based smart contracts that meet two conditions: they must be built using version 0.2.15 of Vyper, and appropriate safeguards for adding and removing liquidity must not be implemented in the code, as stated by Officer's Notes, an independent security researcher.
As a consequence of the exploit, other Curve protocol forks on different chains are facing similar exploit reports. Ellipsis Finance, an authorized Curve fork with $6.5 million in total deposits, tweeted about a “small number of stablepools with BNB” being exploited.
The Tricrypto pool on Curve's deployment on the layer-2 solution Arbitrum was also “potentially affected” but had not been exploited at the time of the announcement, according to the Curve Finance team.
In response to the situation, Auxo DAO, a decentralized yield-farming fund with total deposits worth $5.4 million, decided to remove liquidity from Curve and Convex Finance pools as a precautionary measure against contagion risks.
Convex Finance, a DeFi application providing yield optimization strategies for Curve's CRV tokens with total deposits worth $1.382 billion, experienced a significant liquidity drop of 52.5% since the exploit, decreasing from $2.91 billion to $1.382 billion.
Convex Finance holds approximately 298.3 million CRV tokens, representing about one-third of CRV's circulating supply, according to a Dune dashboard.
To earn fees and staking rewards from Curve, users usually need to lock CRV tokens for up to four years. However, Convex bypasses this locking period by issuing a derivative called cvxCRV, allowing liquidity retention and enabling users to lock CRV tokens to earn trading fees and claim boosted CRV without locking their CRV.
Disclaimer:
The views in this article only represent the author's personal views, and do not constitute investment advice on this platform. This platform does not guarantee the accuracy, completeness and timeliness of the information in the article, and will not be liable for any loss caused by the use of or reliance on the information in the article.
Join Bybit's Gold & FX Treasure Hunt competition for a chance to win gold bars, coins, and USDT prizes while trading on Bybit MT5’s cutting-edge platform.
Coinbase has come under fire after announcing its decision to delist Wrapped Bitcoin (wBTC), a move critics claim could be driven by competitive interests. The delisting, set to take effect on 19 December, has sparked allegations of market manipulation and concerns about fairness in the cryptocurrency ecosystem.
Solana hits $264 on Coinbase, breaking its 3-year high with an 11% daily surge. Learn what’s driving SOL's meteoric rise and the crypto market rally.
Bitcoin’s meteoric rise continues to capture global attention as its price recently surpassed the $99,000 mark, briefly approaching the $100,000 milestone. This unprecedented rally has led market sentiment to reach a state of “extreme greed,” according to the Fear and Greed Index. Analysts suggest that the market may be entering overheated territory, raising questions about sustainability amidst ongoing enthusiasm.