BanklessTimes
Home News Hackers Drain $100M+ From Curve Finance, CRV Trading Suspended

Hackers Drain $100M+ From Curve Finance, CRV Trading Suspended

Daniela Kirova
Daniela Kirova
Daniela Kirova
Author:
Daniela Kirova
Writer
Daniela is a writer at Bankless Times, covering the latest news on the cryptocurrency market and blockchain industry. She has over 15 years of experience as a writer, having ghostwritten for several online publications in the financial sector.
July 31st, 2023
  • The funds are at risk because of a “re-entrancy” bug in Vyper
  • Upbit halted trading of Curve Finance’s CRV token
  • Similar vulnerabilities are expected for other projects on Vyper

Curve, a stablecoin platform at the heart of Ethereum’s DeFi ecosystem, suffered a hack late July 30, CoinDesk reported, citing a project tweet. The above amount is at risk because of a “re-entrancy” bug in Vyper, a programming language behind some Curve ecosystem components.

At the time of writing, a number of stablecoin pools in the system had been drained by hackers. These pools were used to price and provide liquidity for a few different DeFi services.

What happened?

A re-entrancy bug is a type of software vulnerability that occurs in concurrent or multi-threaded programs. It is where an application’s code can be interrupted and re-entered before completing its previous execution, potentially leading to unexpected and undesirable behavior.

Re-entrancy bugs typically manifest due to shared resources, asynchronization, and interleaved execution. Multiple threads or processes often share common resources, such as global variables, objects, or data structures.

If the shared resources are not properly synchronized or protected, it becomes possible for one thread to interrupt another thread while it is in the middle of using or modifying the shared resource.

When a thread gets interrupted and another thread takes over, it might access and modify the shared resource in a way that was not intended or expected.

The consequences

The exact cause of the bug is not known at this time, but a number of exchanges have already halted trading of Curve Finance’s CRV token, such as the South Korean Upbit, who announced:

CRV is currently experiencing significant volatility. We advise exercising caution when considering any investments related to CRV. To ensure the safety of digital asset transactions, we have temporarily suspended deposits and withdrawals for CRV.

The future

Similar vulnerabilities are expected for other projects that use Vyper. At the time of writing, blockchain auditor BlockSec estimated the total losses to exceed $42 million.

According to Curve’s website, it operates 232 pools, but a fraction of them are at risk.

The hack has resulted in a decline of the CRV token of 12.60% in the last 24 hours. It is currently trading for $0.64 according to Coinmarketcap.

There is also a risk of liquidation of Curve’s founder’s $70 million borrowing position on Aave due to the heist.

Contributors

Daniela Kirova
Writer
Daniela is a writer at Bankless Times, covering the latest news on the cryptocurrency market and blockchain industry. She has over 15 years of experience as a writer, having ghostwritten for several online publications in the financial sector.