chatsimple
Blog Post

Demystifying The $70 Million Curve Defi Smart Contract Exploit

August 1, 2023

Executive Summary

  • On July 31st, 2023, Curve Finance suffered an exploit that drained $70 million
  • Root cause was a 0-day compiler bug in the Vyper language, which was used to write Curve's smart contracts
  • Attackers were able to manipulate LP token prices and siphon funds quickly
  • Incident raised concerns around vulnerability disclosure policies and smart contract security practices
  • Highlights the need for robust auditing, testing, and coordinated disclosure in complex DeFi ecosystems

Introduction

Decentralized finance (DeFi) aims to recreate traditional financial services in a decentralized, blockchain-based environment. However, the Curve Finance hack on July 31st serves as a stark reminder that DeFi still faces risks from software vulnerabilities just like any complex software system. Attackers exploited a previously unknown "0-day" bug in Curve's smart contract code, draining $70 million from the affected pools before it could be addressed.

Investigation into the Exploit

The root cause was a bug in older versions of Vyper - the language used to program Curve's smart contracts. This caused a mismatch between two key functions that are supposed to prevent reentrancy, which attackers took advantage of to manipulate prices and siphon funds.

The issues were quickly detected, with the bug identified publicly just two hours after the attacks began. However, the damage was already done by fast-acting exploiters. The biggest pools affected were Alchemix, losing $20 million, the CRV/ETH pool losing $18 million, and JPEG'd losing $12 million.

Several associated tokens saw double-digit price crashes as the incident unfolded, underscoring the interconnected risks in DeFi. A number of addresses were identified as being involved in draining funds from the affected Curve pools, pictured below:

  • 0xDCe5d6b41C32f578f875EfFfc0d422C57A75d7D8
  • 0x30fb95794a2051abe30a67892b3a1fa73947aee5
$20m worth of ETH drained by Alchemix Exploiter (https://ciso.anchainai.com/s/43Caus1v7hh )
  • 0xB1C33b391C2569B737eC387E731E88589e8ec148
  • 0xb752def3a1fded45d6c4b9f4a8f18e645b41b324
$18m worth of ETH drained from CRV/ETH pool (https://ciso.anchainai.com/s/43Cc6dHmrQl)
  • 0x6Ec21d1868743a44318c3C259a6d4953F9978538
$12m drained by JPEG'd frontrunner (https://ciso.anchainai.com/s/43Ch2AlMvmo)
  • 0xe761bf731a06fe8259fee05897b2687d56933110
$12m drained by Alchemix White Hat Hacker (https://ciso.anchainai.com/s/43ChkkdnRP2)

These addresses appear to be associated with the exploitation of the reentrancy bug to drain funds from Curve Finance before it could be fixed.

Conclusion: Lessons Learned

The recent Curve Finance hack is a demonstration that the DeFi industry still has work to do before achieving mainstream adoption. Developers, auditors, and security researchers should take three key steps:

  1. Improve smart contract auditing and testing procedures. This hack proves that bugs can slip through even robust checks, so auditing methodology must continue advancing.
  1. Implement responsible vulnerability disclosure policies. This would give developers time to patch bugs before exploits occur,  limiting the damage from undiscovered issues.
  1. Enhance coordination and transparency between all stakeholders. Finding and fixing vulnerabilities together before incidents happen must become a top priority across DeFi. Products like AnChain.AI's Web3SOC, the world's first security operations center for monitoring and responding to Web3 threats, can aid in this collaboration.

By proactively taking these steps, including leveraging innovative solutions, the decentralized finance ecosystem can learn from this hack and continue maturing with greater diligence. There is no quick fix, but renewed collaboration and vigilance will help DeFi move forward securely.

Prepared by: AnChain.AI Threat Intel Team

Sign Up For Our Newsletter

Thank you for signing up!
Something went wrong! Please try again.

© 2024 AnChain.AI. All Rights Reserved | Privacy Policy