Hacker Steals $47M from Curve Finance
A person using an exploit in the Vyper program code was able to breach on July 30 DEX Curve Finance’ stablecoin pools, resulting in a withdrawal of approximately $47 million.
Vyper, a contract-oriented programming language created for the Ethereum Virtual Machine, had incorrect reentry protection in versions 0.2.15, 0.2.16 and 0.3.0, and Ancilia analysts discovered that about 460 protocols were affected.
This attack had a ripple-effect, affecting projects such as JPEG’d, MetronomeDAO, deBridge, and Ellipsis.
Out of these, the alETH-ETH Alchemix pool incurred the greatest loss of $13.6 million. Additionally, three projects on the BNB Smart Chain were affected to the tune of $73,000.
A white hat hacker, c0ffebabe.eth, utilized his MEV bot to return most of the money stolen, and in total was able to secure approximately $5.4 million worth of 2,879 ETH, as well as an additional 1,000 ETH (~$1.8 million) that he transferred to a cold wallet.