Upbit, a South Korean cryptocurrency exchange, has temporarily suspended deposits and withdrawals of CRV, the governance token of Curve Finance, a decentralized exchange for stablecoins. The move comes as hackers over the weekend exploited a ‘re-entrancy’ bug in Vyper to steal millions of dollars.
Curve Suffers Hack
Reentrancy is a type of vulnerability in smart contracts that enables attackers to make repeated calls to a protocol, creating the opportunity to steal funds from such smart contracts or execute other malicious actions. On the other hand, Vyper is a Python-like language for the Ethereum Virtual Machine (EVM), which is software that runs on Ethereum and handles the blockchain’s smart contracts system.
In an announcement released today (Monday), Upbit explained that it took the decision to halt the withdrawal of CRV in order “to ensure the safety of digital asset transactions.”
“Today, certain vulnerabilities have been discovered in some of the stablecoin pools associated with Curve (CRV). As a result, CRV is currently experiencing significant volatility. We advise exercising caution when considering any investments related to CRV,” Upbit stated.
Vyper announced the exploit earlier yesterday (Sunday), noting that certain versions of its language were vulnerable to ‘malfunctioning reentrancy locks’. Curve Finance also followed up with an update, saying the event affected 'a number of stable pools'.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
— Curve Finance (@CurveFinance) July 30, 2023
Other pools are safe. https://t.co/eWy2d3cDDj
According to Cointelegraph, Michael Egorov, Curve Finance’s CEO confirmed through a Telegram Channel that 32 million CRV tokens worth over $22 million were stolen. However, BlockSec, a smart contracts audit platform, puts the figure at over $41 million.
The sheet updated. Losses have already ~$41m!https://t.co/lCaS4uEPzm https://t.co/stQYNJFS7y pic.twitter.com/P7jG8NHnV4
— BlockSec (@BlockSecTeam) July 30, 2023
Furthermore, Huobi Global estimated that losses from the attack were up to $52 million. The Seychelles-based crypto exchange added that it was closely monitoring the situation.
#DeFi projects: #Curve's JPED'd: pETH-ETH pool, & Alchemix, & JPEG'd, faced attacks resulting in a $52M loss. Your asset security is our top priority. We are monitoring the situation closely.#Huobi supports RWA tokens such as like $MKR, $COMP, $CRV, #WSTUSDT, and $TRX . Trade… pic.twitter.com/2YHGaFuGkc
— Huobi (@HuobiGlobal) July 31, 2023
Crypto Hack Losses Surge YTD
Meanwhile, Finance Magnates reported that the amount of money lost through hacks and exploits in the cryptocurrency sector surged to the highest level year-to-date in July 2023. This is even as hackers stole $313 million through different kinds of scams and malicious exploits during the second quarter of the year.
Speaking about the hack at Curve, Zachary Townsend, the Co-Founder and CEO of Meanwhile, a provider of life insurance for the crypto economy, emphasized the importance of audits in preventing such incidents.
“In any case involving an exploit of crypto protocols, it’s important that audits are conducted very early on and preferably before formal launch,” Townsend told Finance Magnates. “Obviously, Curve is a reputable protocol and has a venerable track record in the DeFi industry. But, again, this incident should serve as a reminder that extensive testing and auditing are key.”
Also commenting, Brian D. Evans, the CEO and Founder of BDE Ventures, a web3 venture studio and advisory firm, noted that the most important thing going forward is to learn from the mistake, improve and do the utmost to ensure that such exploits never happen again. However, Evans pointed out that the sophistication and complexity of the DeFi ecosystem offer no 100% guarantee.
“The fact that all these protocols are composable with each other elevates the risk that an exploit in one protocol can quickly cascade into the other protocols, heightening the risk of mass liquidation events,” the CEO of BDE Ventures stated. “Even the most sophisticated of audits aren’t going to catch everything or be able to future-proof all protocols.”
New Zealand's FMI standards; ICE delists Bakkt's contracts; read today's news nuggets.
