The vulnerabilities in Vyper enabled hackers to steal over $70 million from platforms like Curve, Alchemix, and JEG, this dealt a serious blow to many DeFi protocols.
On July 30, the Vyper team disclosed incorrect implementation of defenses against reentrancy attacks. The vulnerabilities impacted the most recent version of their smart contract language. Reentrancy attacks involve an attacker repeatedly calling a function within a smart contract before its previous call completes. This exploits the contract’s logic to drain funds or manipulate data.
Several stable pools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
Other pools are safe. https://t.co/eWy2d3cDDj
— Curve Finance (@CurveFinance) July 30, 2023
After the attack, the DeFi community swiftly responded, advising users to withdraw assets from Curve pools to minimize risks. This aimed to reduce exposure to potential vulnerabilities.
DexScreener statistics revealed an 86% collapse in the CRV token on decentralized exchanges amid the commotion. In the last 24 hours, the token dropped by only 15%, reaching around $0.60. DeFi protocols lost around $70 million, with potential recovery due to white-hat hackers and MEV bots.
Bankless reported losses exceeding $45 million from Alchemix, Metronome, and JPEG’d DeFi protocols, and $25 million from Curve’s CRV/ETH pool.
Transaction data showed that an MEV bot front-ran the $11 million attack against JPEG’d, an NFT lending protocol. With on-chain statistics indicating that the attackers have not yet started to sell their $4.5 million worth of illegally obtained CRV tokens, the cryptocurrency’s server volatility may still be present.
Defi Vulnerabilities and the Urgent Need for Security Enhancements
The event has also sparked questions about Michael Egorov, the inventor of Curve, and his DeFi borrowing practices. Egorov has taken out substantial loans against his holdings of more than $100 million in CRV on websites like Aave, Fraxlend, Abracadabra, and Inverse Finance.
In response, Egorov paid off some of his obligations and added more collateral, which resulted in a drop in his liquidation price to $0.37 per CRV on Aave. There is a concern, though, that if his investments are liquidated, it may lead to bad debt for Aave and other lending protocols because CRV doesn’t have enough on-chain liquidity.
Curve’s exploit raised concerns, but ChainLinkGod highlighted that using Chainlink’s price feed prevented worse DeFi consequences.
Due to the withdrawal of cash from Aave and other procedures as a result of the hack, which has caused a wave of panic among DeFi lenders, borrowing costs have increased. USDT has 89.5% utilization with 38% interest. USDC has 93% utilization and 22.4% loan rates. Egorov faces pressure with his $60 million borrowed USDT.
The incident has reignited debates over the dangers posed by DeFi platforms and the need for stronger security precautions and regulatory clarity. DeFi must address weaknesses and enhance security to safeguard investors and businesses from crippling attacks.
