Curve Finance Liquidity Pools Under Continuous Attack
After the incidents with Conic Finance and JPEG'd, several projects related to Curve Finance's liquidity pools are also under attack.
Series of Attacks on Curve's Liquidity Pools
The issue didn't just start this week; it dates back to last week (21/07), when Conic Finance was drained of assets due to its association with LP Tokens on Curve Finance.
On the evening of 30/07, the NFT lending project JPEG'd reported an exploit in its pETH-ETH liquidity pool on Curve Finance, losing up to $11 million.
There was an attack on the pETH-ETH curve pool.
— JPEG'd (@JPEGd_69) July 30, 2023
The vault contracts allowing to borrow against NFTs are safe and still running solidly. NFTs and the treasury funds are safe. We’ll keep everyone updated as soon as we know better what is happening.
We’ve been looking into the…
Another project affected on the same night was Metronome, with $1.6 million lost due to an exploit.
Another curve pool (this time Metronome Synth ETH) hit by a similar exploit for $1.6m profit pic.twitter.com/1vcZMwOTT7
— Spreek (@spreekaway) July 30, 2023
Alchemix's alETH was also a victim, originating from a Curve liquidity pool, with estimated losses of $13.6 million.
"alETH curve pool hit (possibly whitehat, i saw team in discussion with security?) for 13.6m." — Spreek (@spreekaway) July 30, 2023
Further reports indicated vulnerabilities in deBridge and Ellipsis, with total losses reaching $26.76 million by 00:00 AM on 31/07.
alETH curve pool hit (possibly whitehat, i saw team in discussion with security?) for 13.6m pic.twitter.com/c5snocg8jz
— Spreek (@spreekaway) July 30, 2023
Potential Causes
At the time of writing, there is no detailed report on the exact causes of the multiple exploits related to Curve’s liquidity pools. However, the community speculates two main reasons:
- Vulnerabilities in VyperLang Versions 0.2.15/0.2.16/0.3.0: The anti-reentrancy guards in these versions were ineffective, allowing multiple reentrancy attacks to drain funds from the liquidity pools.
- Exploitation of the "get_virtual_price" Function: According to a ChainSecurity document, this function, used to determine the market price of LP Tokens on Curve Finance, could be exploited by hackers to manipulate oracle prices and create reentrancy loops to drain funds.
The former reason likely explains recent exploits within Curve’s pools (Alchemix, JPEG'd, and Metronome), while earlier incidents, such as with Conic Finance, may be due to the latter reason.
Updates from the Team
The Curve team has stated that volatile pools and pools related to stETH, frxETH, cbETH, rETH, and sETH are still safe.
#PeckShieldAlert There are $26.76M exploited so far from @AlchemixFi, @JPEGd_69, @MetronomeDAO, @DebridgeFinance and @Ellipsisfi pic.twitter.com/SXGG9m9Nww
— PeckShieldAlert (@PeckShieldAlert) July 30, 2023
Curve confirmed that the affected liquidity pools were using Vyper versions 0.2.15, 0.2.16, and 0.3.0. Both the Curve team and the Vyper development team are investigating the issue and calling for affected projects to reach out directly.
Curve team looking into potential other pools at risk. steth, frxeth,cbeth,reth,seth are fine. pic.twitter.com/LvRyaNOae3
— Spreek (@spreekaway) July 30, 2023
An anonymous security expert with the Twitter handle pcaversaccio announced a large-scale rescue operation for the at-risk pools, calling for affected projects to contact them.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
— Curve Finance (@CurveFinance) July 30, 2023
Other pools are safe. https://t.co/eWy2d3cDDj
CRV Token Price Movements
The CRV token has experienced significant volatility, dropping over 4.5% to $0.699.
We're running a large white hat rescue operation. Please reach out if you think you're affected as a project. https://t.co/tssWcRHg35
— sudo rm -rf --no-preserve-root / (@pcaversaccio) July 30, 2023
The continuous attacks on Curve Finance highlight the importance of robust security measures and prompt responses to vulnerabilities to protect DeFi projects and their users.
