Key Insights:
The Curve DAO (CRV), the DeFi exchange Curve Finance token, has sunk by 12% in the past 24 hours. The DEX platform also lost more than $50 million over the weekend.
These losses occurred due to an exploit on the liquidity pools of Curve Finance. There were some bugs in the smart contracts that use versions of the Vyper programming language.
Smart contracts are used on Curve for its financial services, but it was, unfortunately, its undoing. A "re-entrancy" bug in Vyper was used to steal several assets from the pools.
A series of attacks due to exploits on Vyper left millions stolen. This led to a drop in the value of CRV, with fears that more is to come.
A zero-day vulnerability in specific computer versions for Vyper enabled the thefts. The vulnerability was the re-entrancy bug which allows hackers to deceive a smart contract by making repeated calls to a protocol to embezzle its assets.
These attacks drained numerous liquidity pools starting with JPEG'd's pETH-ETH, where the hackers siphoned over $11 million. The other attacks affected Alchemix's alETH-ETH pool, the CRV/ETH pool, Pendle's pETH-ETH pool, and Metronome's msETH-ETH pool, where over $70 million was stolen.
However, some of the attacks were reportedly carried out by white-hat hackers, which means the total amount could be closer to $50 million.
After the exploits occurred, there was finger-pointing among the development teams as to the guilty party. Dr. Laurence Day, a smart contract exploits expert cautioned against the blame game.
He said,
"Compilers come pre-packed with a whole host of behavioral assumptions that the vast majority of us simply take for granted because we assume that people smarter than us have done the leg-work closer to assembly."
In the aftermath of the attacks, Alchemix protocol — which was severely affected — paused several contracts to forestall the exploiter from swapping alETH for native ETH. Expectedly, there is a build-up of apprehension about the possible ripple effects of the theft.
One such is on CRV.
As earlier reported, the CRV token has dropped by 12% on exchanges to $0.64 within the past 24 hours. However, it traded significantly higher on two South Korean exchanges, Bithumb and Upbit.
CRV's price on Bithumb and Upbit has risen massively since the thefts occurred. At press time, the CRV price on Bithumb traded at $4.42, a premium rate of 600%, while it is $0.81 on Upbit at a premium rate of over 55%.
In a precautionary move "to ensure the safety of digital asset transactions,"
Upbit temporarily suspended the deposits and withdrawals of CRV, as published in an announcement.
The multi-million dollar hack brought the DeFi space to its knees, as Curve Finance is one of the most prominent DEXs in the ecosystem. Beyond its high liquidity ($3 billion), it provides efficient and low-cost swaps between stablecoins.
Therefore, many in the DeFi space are fearful of the possible effects the attack could cause. One specific asset that could be a casualty of this is the Ave V2 loan. It is the brainchild of Curve Finance's founder and is backed with CRV tokens, which could make it hard for the protocol to liquidate.
Disclaimer: Voice of Crypto aims to deliver accurate and up-to-date information but will not be responsible for any missing facts or inaccurate information. Cryptocurrencies are highly volatile financial assets, so research and make your own financial decisions.