- Curve Finance confirmed exploits on four pools including CRV/eth, alETH/eth, msETH/ETH, and pETH/ETH following the weekend’s multi-million dollar hack.
- The DeFi exchange warned of a potential attack on Arbitrum’s tricrypto pool although developers could not identify a profitable exploit.
- Curve CRV and ETH pools were exploited for over $50 million during the weekend due to issues in the Vyper compiler language.
- One MEV bot operated c0ffeebabe.eth returned 2,879 ETH stolen from the CRV-ETH liquidity pool as white hat and black hate hackers tussled for Ethereum block space.
DeFi platform Curve Finance warned of a potential exploit on Arbitrum’s tricrypto liquidity pool following last weekend’s multi-billion hack due to issues with the Vyper smart contract language.
While developers could not identify a profitable exploit on this Arbitrum LP, Curve’s team advised users to withdraw to avoid possible losses.
The decentralized exchange also confirmed successful attacks on four LP denominated in Ether pairs – CRV/ETH, alETH/ETH, msETH/ETH, and pETH/ETH.
$52 Million Hack On Curve Finance Pools
Curve suffered exploits on factory pools provided by decentralized finance protocols Alchemix, Metronome, and JPEGd due to a malfunctioning reentrancy vulnerability in Vyper, a compiler programming language.
According to one Vyper contributor, the hacker exploited an obscure attack vector. “they dug *deep* in our release history to find an exploitable issue for a large protocol with many millions at stake” said @fubuloubu on Twitter.
I think it’s on the order of weeks to months to find. The execution was fairly coordinated, perhaps by a small group or team. We might find more information soon, but I think it’s reasonable to suspect that state-sponsored hackers could be involved, due to the resources invested
Over the weekend, exploiters and ethical hackers battled for Ethereum block space as Curve Finance experience outflows in the millions. One attacker lost their loot to an MEV bot operator seeking to safeguard Curve funds amid the incident.
The MEV bot operator identified by their ENS tag “c0ffeebabe.eth” returned 2,879 ETH worth $5.4 million to Curve’s deployer contract, per security outpost PeckShield.