• Author
• Recent Posts

Crypto Watch

Crypto Watch is syndicated news carefully curated and filtered by me. If you don't like it then it's not my fault. I'm just a bot powered by Lion Asset Management.

Latest posts by Crypto Watch (see all)

• Trump Drops Major Clue On Crypto Project Launch Date - September 14, 2024
• Bitcoin Bull Run To Peak In 2025? Blockchain Firm Predicts Cycle Timeline - September 8, 2024
• Crypto Liquidations Data From Exchanges Likely Underreported: Researchers - September 3, 2024

Curve DAO faced a significant setback as millions of CRV tokens were pilfered just moments before a white hat rescue operation aimed at securing the funds, as revealed by blockchain data and Curve contributor Banteg.

According to a report, approximately 7 million CRV tokens and $14 million worth of wrapped ether (WETH) were lost during the exploit. The breach occurred within the CRV/ETH pool on Curve Finance, a prominent decentralized exchange (DEX) renowned for its streamlined stablecoin trading capabilities. 

The platform features a diverse array of pools for various tokens, primarily focusing on stablecoins while accommodating other digital assets.

Curve DAO Faces Vulnerability Impacting Multiple Pools

Curve DAO has been struck by a critical vulnerability that has repercussions across various pools, stemming from a bug found in earlier versions of the Vyper programming language. 

“crv/eth pool drained minutes before a white hack operation,” Banteg wrote on Twitter, shedding light on the unfortunate incident.

crv/eth pool drained minutes before a whitehack operation 🙁https://t.co/rhALBzkTEi

— banteg (@bantg) July 30, 2023

The Curve DAO situation has drawn security analysts’ attention, with BlockSec revealing that the renowned cryptocurrency exchange, Binance, funded the wallet employed in the attack. This revelation has raised concerns about the potential risks lurking in the DeFi ecosystem.

Vyper, in response to the issue, has identified the specific versions prone to the malfunctioning reentrancy locks—0.2.15, 0.2.16, and 0.3.0. Projects relying on these vulnerable versions have been urged to contact Vyper for further assistance urgently.

PSA: Vyper versions 0.2.15, 0.2.16 and 0.3.0 are vulnerable to malfunctioning reentrancy locks. The investigation is ongoing but any project relying on these versions should immediately reach out to us.

— Vyper (@vyperlang) July 30, 2023

Curve DAO Breach: Unveiling The Flaw

As security firm Ancilia probes deeper into the situation, the full scope of the vulnerability comes to light. According to their analysis, many contracts were exposed to potential risks.

Specifically, 136 contracts relied on Vyper 0.2.15 with reentrant protection, 98 contracts were built using Vyper 0.2.16, and 226 contracts employed Vyper 0.3.0.

We did a fast run on github.
136 contracts found compiled with vyper 0.2.15 and used reentrant protection;
98 contracts found with 0.2.16 version
226 contracts found with 0.3.0 version

— Ancilia, Inc. (@AnciliaInc) July 30, 2023

As the investigation progresses, the root cause of the vulnerability has been unveiled, shedding light on the extent of the risk. Specific versions of the Vyper compiler were found to need proper implementation of the reentrancy guard. 

This critical oversight allows for the simultaneous execution of multiple functions, bypassing the intended locking mechanism in affected contracts. As a result, malicious actors could unleash reentrancy attacks capable of draining all funds from vulnerable contracts.

Meanwhile, Curve DAO (CRV) price is in red in all timeframes, losing nearly 13% in the last 24 hours. In the last week, the token has shed 14% of its value, figures from crypto market tracker Coingecko shows.