An issue with Vyper, an optional programming language for smart contracts, seems to be the root cause of the exploits.
Curve Pool Suffer Huge Losses as Hackers Leverage Minor Vulnerability
Liquidity pools refer to smart contacts responsible for holding tokens and can offer liquidity to crypto markets in a manner that does not depend on financial mediators. However, Sunday’s situation revealed to various projects that a small fault may result in considerable losses.
Decurity, a decentralized finance security company, revealed that cryptocurrency worth $11 million was taken from JPEG’d, an NFT lending protocol. It was the first to encounter a problem with its pool on Curve.
Via Twitter, the NFT lending protocol revealed an attack, and they had been investigating the matter since they were alerted. Besides, it claimed the matter appears to be associated with the Curve pool.
Decurity Assures JPEF’d Unaffected by the Curve Pool Exploit
It advised Users to consider acquiring loans by using JPEG’d to post NFTs as security. Further, the protocol’s current total value locked (TVL) in assets deposited is approximately $32 million. JPEG’d also claimed the code governing treasury funds and the security of NFTs were not affected.
Data from CoinGecko shows that the protocol’s governance was down 23 percent at the time of this writing. Further, this coin attained a record low of $0.000347. Via a currently-deleted tweet, Curve explained the susceptibility as an ordinary and read-only ‘reentrancy’ attack that could have been averted.
A reentrancy attack occurs following a smart contract’s interaction with another. It calls back to the initial contract before the full execution.
Reentrancy susceptibilities enable an attacker to pack several calls into one function and dupe a smart contract into evaluating improper balances. A major example of this was the 55-million-dollar 2016 DAO hack on Ethereum. Nevertheless, Curve responded to a Twitter account repeating the scrubbed statement, claiming the previous impression was erroneous. It stated no offense occurred on the projects’ or Vyper’s side.
Cyvers Executive Reveal Exploiters Deployed Reentrancy Attacks
The co-founder and CTO of cybersecurity company Cyvers, Meir Dolev, admitted that reentrancy attacks are a commonplace vector for attackers to steal from protocols. He said the attacks are very common, and proper design and development can aid in averting them.
The problem was not linked to JPEG’d alone. Not long after the NFT lending protocol exploitation, Metronome DAO and Alchemix experienced a similar attack, resulting in the respective loss of $1.6 million and $13.6 million. Via Twitter, Alchemix claimed it was seeking a means to address a problem linked to its liquidity pool.
On the other hand, Metronome DAO claimed its investigations into the attacks were happening and described them as ‘part of a vast group of exploits.’
Regarding JPEG’d’s case, Dolev said a maximal extractable value (MEV) bot front-ran the attacker. This bot established the transaction of the would-be attacker and paid a fee to carry out the same transaction before them.
Vyper Faults Failure in Compiler Programming Language for Exploit
Via Twitter, Vyper claimed that the element that had failed was the compiler of the programing language. After a developer concludes writing code, it is compiled from a human-readable format into a computer-executable form.
According to Dovel, this prevented reentry guards from working. These protections were integrated into the project’s code and must deter reentry attacks. Further, he claimed some of the compiler’s versions were unsuccessful in compiling it.