Hacker withdrew $47 million from Curve Finance liquidity pools

[Carding]

On July 30, an unknown person attacked DEX Curve Finance stablecoin pools and withdrew about $47 million using a vulnerability in the Vyper program code.

“Several stable pools (alETH/msETH/pETH) using Vyper 0.2.15 have been compromised due to a bug in the re-entry mechanism. We are evaluating the situation and will update the community as events unfold. Other pools are safe,” Curve wrote.
Vyper is a Python-based contract-oriented programming language designed for the Ethereum Virtual Machine. The developers acknowledged that the re-entry exploit is in versions 0.2.15, 0.2.16 and 0.3.0.

According to Ancilia analysts, about 460 protocols used vulnerable software.

According to Curve's investigation, some code compilers incorrectly implemented reentry protection, which prevented multiple functions from executing at the same time by locking the contract.

A number of Curve DeFi projects were affected by the attack, including JPEG'd, MetronomeDAO, deBridge, and Ellipsis. The alETH-ETH Alchemix pool lost the most — $13.6 million.

BlockSec experts also reported that a similar exploit affected three projects in the BNB Smart Chain. In total, the attacker withdrew about $73,000 from protocols on the network.

A white hat hacker and MEV bot operator c0ffebabe.eth was able to secure approximately $5.4 million worth of 2,879 ETH stolen from Curve pools by asking affiliated protocols to contact him to recover the assets. He later transferred another 1,000 ETH (~$1.8 million) to a cold wallet.

According to DeFi Llama, Curve Finance’s total locked value almost halved overnight, from $3.25 million to $1.73 million.

The utility token of the Curve DAO (CRV) project fell by 11.5% in 24 hours, according to CoinGecko. At the time of writing, the asset is trading at $0.6492.

The largest South Korean exchange, Upbit, announced that the volatility of CRV increased due to the attack, so the platform suspended all deposits and withdrawals on the coin.

 

[Carding]

Following the Curve: Where did the $52 million in Curve Finance go?

The Curve Finance exchange was subjected to a cyberattack that affected a large number of assets and pools.

Popular decentralized exchange (DEX) Curve Finance has experienced a cyberattack that affected several Ethereum pools and an Arbitrum-based liquidity pool. The incident led to the theft of $52 million.

DEX Curve Finance is a platform for exchanging Ethereum assets for Staked Ethereum or USDT Tether for USDC Circle. The tool provides traders with the opportunity to profit from price discrepancies between assets.

Three liquidity pools have been breached, including tokens that are paired with Ethereum (ETH) and the Curve (CRV) governance token.

Several ERC-20 tokens issued on Alchemix (alETH), Metronome Synth (smETH), and JPEG’d (pETH) were also compromised due to a vulnerability in older versions of the Vyper compiler for writing smart contracts on the Ethereum blockchain.

As the situation developed, it became known about a potential threat to the liquidity pool deployed on Arbitrum. The Curve Finance team has warned that the Tricrypto pool, which consists of USDC, wBTC and ETH, could also be affected. Although security experts did not identify attacks on Tricrypto, they recommended liquidity providers to leave the pool.

In addition to Curve Finance, another DEX, Ellipsis, powered by BNB Chain, was also affected by the cyber attack. Ellipsis representatives reported on the operation of the pools at the same time as Curve Finance.

Following the incidents, the DeFi community demanded regular auditing and updating of smart contracts, highlighting the need for increased security measures. While the investigation continues, the DeFi community is closely monitoring the situation to assess the full extent of the damage and prevent similar incidents in the future.

 

[Carding]

An unknown hacker who attacked DEX Curve Finance has started a refund. At the time of writing, he sent back more than $20 million worth of assets.

“We thank the hacker Curve Finance for returning 4819 alETH and 2259 ETH [about $12.3 million in total]. We look forward to further cooperation, which will lead to the return of the remaining funds,” wrote Alchemix.

In a message to the transaction, the hacker explained his decision not by fear of being caught, but by unwillingness to destroy the project.

“Maybe that's a lot of money for a lot of people, but not for me. I'm smarter than all of you," he wrote.
The JPEG'd project also confirmed the return of 5494 WETH (more than $10 million). The hacker received the promised 10% reward of 610.6 WETH ($1.1 million).

On July 30, an unknown person attacked Curve Finance's stablecoin pools using a vulnerability in the Vyper code. Initially, the total losses from the hack were estimated at $47 million. According to Defi Llama, the amount increased to $61.7 million.

The incident affected Alchemix, JPEG'd, MetronomeDAO, Ellipsis and deBridge projects. More than 450 pools were at risk due to the bug.

A few days after the hack, the CRV token lost about 30%, dropping to $0.5. After that, the asset began to recover - at the time of writing, CRV is trading at $0.63.

Binance CRV/USDT Hourly Chart. Data: Trading View.

Recall that Tron co-founder Justin Sun and Huobi co-founder Jun Du purchased 5 million CRV and 10 million CRV, respectively, from Curve Finance founder Mikhail Egorov at a below-market price of $0.4 per token.

 

[Carding]

Hacker withdrew $47 million from Curve Finance liquidity pools

On July 30, an unknown person attacked DEX Curve Finance stablecoin pools and withdrew about $47 million using a vulnerability in the Vyper program code.

“Several stable pools (alETH/msETH/pETH) using Vyper 0.2.15 have been compromised due to a bug in the re-entry mechanism. We are evaluating the situation and will update the community as events unfold. Other pools are safe,” Curve wrote.

Vyper is a Python-based contract-oriented programming language designed for the Ethereum Virtual Machine. The developers have acknowledged that the reentry exploit is in versions 0.2.15, 0.2.16, and 0.3.0.

According to Ancilia analysts, about 460 protocols used vulnerable software.

According to Curve's investigation, some code compilers incorrectly implemented reentry protection, which prevented multiple functions from executing at the same time by locking the contract.

A number of Curve DeFi projects were affected by the attack, including JPEG'd, MetronomeDAO, deBridge, and Ellipsis. The alETH-ETH Alchemix pool lost the most — $13.6 million.

BlockSec experts also reported that a similar exploit affected three projects in the BNB Smart Chain. In total, the attacker withdrew about $73,000 from protocols on the network.

A white hat hacker and MEV bot operator c0ffebabe.eth was able to secure approximately $5.4 million worth of 2,879 ETH stolen from Curve pools by asking affiliated protocols to contact him to recover the assets. He later transferred another 1,000 ETH (~$1.8 million) to a cold wallet.

According to DeFi Llama, Curve Finance’s total locked value almost halved overnight, from $3.25 million to $1.73 million.

The utility token of the Curve DAO (CRV) project fell by 11.5% in 24 hours, according to CoinGecko. At the time of writing, the asset is trading at $0.6492.

The largest South Korean exchange, Upbit, announced that the volatility of CRV increased due to the attack, so the platform suspended all deposits and withdrawals on the coin.

---

The attacker behind the theft of crypto assets from the DeFi protocol Curve Finance, as well as the Metronome and Alchemix projects, returned part of the stolen funds after negotiations.

The hacker asked the Alchemix project, which became one of the victims of the hack, to confirm the address of the protocol by which he could return the assets. Shortly thereafter, he transferred almost $10 million in Ether and alETH to the Alchemix wallet in multiple transactions.

The Curve hack forced investors to withdraw assets as a precautionary measure. After that, the price of the CRV token fell by 31% to 50 cents. Now the Curve token is up 5% in just 24 hours.

The Curve, Metronome and Alchemix protocols lost $61.7 million worth of crypto assets in a hack in July. The developers offered a 10% reward for refunds.

Recently, experts from the analytical platform DefiLlama reported that over the past year hackers have been able to steal more than $6.7 billion from decentralized finance protocols. Crypto bridges have suffered the most.

According to CoinMarketCap data, the capitalization of the crypto asset market has fallen amid concerns about the Curve Finance hack and a possible drop in the liquidity of the AAVE platform.

 

[Carding]

Curve Finance returned only 70% of the stolen funds

On July 30, the platform was subjected to a cyber attack and lost $61 million worth of digital assets.

The DEX Curve Finance project announced the return of 70% of the stolen funds stolen on July 30 as a result of an attack on stablecoin pools.

"70% of the funds stolen during the hacking last week were returned, and an active investigation is underway regarding the balance. We are also working to determine the shares of each affected user in order to properly distribute them," the project said in a statement.

A hacker attacked Curve pools on July 30 and stole more than $61 million worth of cryptocurrency using vulnerable versions of the Vyper programming language . Three liquidity pools, including tokens paired with Ethereum (ETH) and the Curve management token (CRV), were affected by the security breach.

Several ERC-20 tokens issued on Alchemix (alETH), Metronome Synth (smETH), and JPEG'd (pETH) were also compromised due to vulnerabilities in older versions of the Vyper compiler for writing smart contracts on the Ethereum blockchain.

Curve and other affected protocols on August 3 offered the attacker to return 10% of the stolen amount as a reward, which is more than $6 million. The hacker agreed to return the assets of Alchemix and JPEGd, but did not give the money to other affected pools.