- A malfunctioning reentrancy lock in the Curve DAO Vyper compiler enabled a 0-day exploit.
- Over $50 million was stolen.
- CRV has dropped 13% in value.
Curve Finance has fallen victim to a massive exploit, resulting in a staggering over $50 million loss. The exploit was attributed to a critical issue in Vyper compiler versions 0.2.15 to 0.3.0, which affected several pools, including CRV/ETH, aETH/ETH, msETH/ETH, and pETH/ETH.
What Happened: 0-Day Exploit
The Vyper compiler issue significantly impacted multiple liquidity pools within the Curve Finance ecosystem. The vulnerability in the Vyper compiler was linked to malfunctioning reentrancy locks and affected versions 0.2.15, 0.2.16, and 0.3.0. This left DeFi projects relying on these versions exposed to potential attacks. As soon as the issue was identified, developers initiated an investigation to analyze the extent of the vulnerability and work toward an urgent fix.
Reentrancy refers to the ability of a smart contract to call another contract’s function or itself repeatedly during the execution of a single transaction. Reentrancy locks prevent recursive calls and ensure a contract’s state is correctly updated before allowing another external call. The malfunctioning reentrancy lock in the Vyper compiler enabled a exploit where zero days of advance notice are given to the vendor or the public about the flaw before malicious actors exploit it. Hackers use 0-day attacks to manipulate a smart contract’s state to stealing funds.
