Curve Cracked: How $52M Vanished in a Vyper Vulnerability

In a recent turn of events, the decentralized stablecoin protocol Curve faced a significant reentrancy attack resulting in severe losses. Here, MetaTrust Labs presents a security analysis of the incident and provides essential security recommendations.

Event Recap

According to Curve Finance's official Twitter account, on July 31, 2023, some stablecoin pools (alETH/msETH/pETH) written using Vyper version 0.2.15 were subjected to a reentrancy attack. Curve Finance clarified that this attack was caused by a malfunctioning reentrancy lock in Vyper 0.2.15 and solely affected pools using pure ETH. Presently, Curve is assessing the extent of the damage, ensuring the safety of other pools.

Based on MetaTrust Labs' analysis, this vulnerability was introduced between August and October 2021, primarily due to the Vyper compiler versions 0.2.15/0.2.16/0.3.0. The root cause of the exploit was a compiler bug that resulted in ineffective reentrancy protection in the generated bytecode.

On the day of the attack, MetaTrust Labs published 3 alert tweets in the first time and informed one of the attacked projects, AlchemixFi, through twitter message, which was recognized and liked by the team.

As per on-chain data, the Curve Finance stablecoin pool hack has led to cumulative losses of $52 million in projects like Alchemix, JPEG’d, and the CRV/ETH pool. The Curve Finance native token, CRV, has also taken a hit, experiencing a drastic intraday drop of over 15%.

Root Causes

Curve Finance fell victim to this attack due to the use of Vyper, a smart contract programming language, with version 0.2.15. Unfortunately, this version contained a bug known as "malfunctioning reentrancy locks," which attackers exploited to cause the losses. The vulnerability faced by Curve Finance is categorized as a Language Specific flaw.

Language Specific vulnerabilities arise from defects or incompatibilities in the programming language or compiler itself. These types of vulnerabilities are challenging to detect and prevent since they result from issues with the underlying technical platform rather than developer oversight or logical errors. Moreover, such vulnerabilities may affect multiple projects or contracts utilizing the same language or compiler.

Vyper, as a Python-based smart contract programming language, aims to provide higher security and readability. It claims to be "security-first" and omits certain features, such as classes, inheritance, modifiers, and inline assembly, which could introduce security risks. Nevertheless, Vyper is not without flaws and may still have bugs or vulnerabilities that can impact contract security. In addition to the reentrancy lock fault faced by Curve Finance, Vyper has previously encountered issues like array overflows, integer overflows, and storage access errors.

Security Suggestions

In response to the reentrancy attack on Curve Finance, several measures have been taken or proposed. Here are some potential security actions Curve could take:

1. Remove Liquidity: Users of affected pools can choose to remove liquidity to avoid further losses. Curve Finance has already provided a "Remove Liquidity" button on its official website to facilitate this process.
2. Upgrade Compiler: Contracts compiled with Vyper versions 0.2.15/0.2.16/0.3.0 should be upgraded to the latest version, Vyper 0.3.1, as it addresses the reentrancy lock issue. Additionally, employing other tools or methods for contract security verification, such as formal verification and code audits, is advisable.
3. Heightened Vigilance: Projects utilizing Vyper or any other programming language should exercise increased vigilance, closely monitoring language or compiler updates and vulnerability fixes, and taking necessary measures to safeguard their assets. Furthermore, when adopting new languages or technologies, thorough evaluations of their maturity and stability are essential to avoid blindly pursuing novelty or efficiency.

Conclusion

The reentrancy attack on Curve Finance serves as a regrettable security incident and a thought-provoking lesson. In the realm of DeFi, security always takes precedence, and project teams must continually raise their awareness and capabilities to combat potential threats. In this ever-evolving landscape, even the smallest detail can become an attacker's point of entry.

About Us

At MetaTrust, our primary focus is on creating a secure infrastructure that caters to the needs of developers in the WEB 3.0 space. We offer an array of AI-Driven automation tools and security services to assist Web3 developers and project stakeholders in achieving a secure development environment.

Website || Twitter || Telegram || Try MetaScan for FREE