Recent hacks on DeFi protocols BNB Smart Chain and Curve Finance expose a vulnerability in Vyper’s programming language, leading to millions of dollars in losses.
Hackers have zeroed in on a vulnerability in the Vyper programming language — a well-known tool widely used for developing Web3 projects that target the Ethereum Virtual Machine (EVM) — on two significant DeFi protocols: BNB Smart Chain and Curve Finance.
Vyper is known for its similarities to Python, making it a common starting point for Python developers venturing into DeFi. The attacks in question exploited a flaw in the reentrancy lock of Vyper versions 0.2.15, 0.2.16, and 0.3.0, leading to multiple breaches across different protocols.
The losses have been significant across several platforms. On the BNB Smart Chain (BSC), there was reportedly multiple attacks due to the reentrancy lock vulnerability found in specific versions of Vyper (0.2.15, 0.2.16, 0.3.0) reported on July 30. Blockchain security firm BlockSec reported that these attacks led to a theft of around $41 million worth of cryptocurrencies.
The sheet updated. Losses have already ~$41m!https://t.co/lCaS4uEPzm https://t.co/stQYNJFS7y pic.twitter.com/P7jG8NHnV4
— BlockSec (@BlockSecTeam) July 30, 2023
Curve Finance, a DeFi protocol, suffered even more on the same day. Several of its stable pools using the afflicted Vyper versions were exploited, with losses exceeding $47 million. A total of 32 million CRV tokens worth over $22 million were drained from the swap pool, as confirmed by Curve on Twitter.
Someone drained 32 million $CRV from the swap pool, 0x8301ae4fc9c624d1d396cbdaa1ed877821d7c511 pic.twitter.com/zQYivclTqO
— Andrew T (@Blockanalia) July 30, 2023
The reentrancy lock is a critical component that should prevent multiple functions from being executed simultaneously. When correctly implemented, this guard would have thwarted the attackers. But in the case of the Vyper versions, the reentrancy guard was not implemented correctly, making a number of DeFi pools susceptible to attacks.
Several other DeFi projects have also reported losses, such as Ellipsis, which reported an unspecified amount in BNB stable pools.
A small number of stablepools with BNB using an old Vyper compiler have been exploited.
We are assessing the situation and will update the community on any further findings. https://t.co/pxkhRRSr5w
— Ellipsis (@Ellipsisfi) July 30, 2023
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
See full terms and conditions.