Upbit Stops CRV Withdrawal as Curve Finance Loses Millions of Dollars to Exploit

Monday, 31/07/2023 | 15:23 GMT by Solomon Oladipupo
  • BlockSec estimates that over $41M has been stolen from the hack.
  • Upbit says it wants to “ensure the safety of digital asset transactions.”
JP Morgan

Upbit, a South Korean cryptocurrency exchange, has temporarily suspended deposits and withdrawals of CRV, the governance token of Curve Finance, a decentralized exchange for stablecoins. The move comes as hackers over the weekend exploited a ‘re-entrancy’ bug in Vyper to steal millions of dollars.

Curve Suffers Hack

Reentrancy is a type of vulnerability in smart contracts that enables attackers to make repeated calls to a protocol, creating the opportunity to steal funds from such smart contracts or execute other malicious actions. On the other hand, Vyper is a Python-like language for the Ethereum Virtual Machine (EVM), which is software that runs on Ethereum and handles the blockchain’s smart contracts system.

In an announcement released today (Monday), Upbit explained that it took the decision to halt the withdrawal of CRV in order “to ensure the safety of digital asset transactions.”

“Today, certain vulnerabilities have been discovered in some of the stablecoin pools associated with Curve (CRV). As a result, CRV is currently experiencing significant volatility. We advise exercising caution when considering any investments related to CRV,” Upbit stated.

Vyper announced the exploit earlier yesterday (Sunday), noting that certain versions of its language were vulnerable to ‘malfunctioning reentrancy locks’. Curve Finance also followed up with an update, saying the event affected 'a number of stable pools'.

According to Cointelegraph, Michael Egorov, Curve Finance’s CEO confirmed through a Telegram Channel that 32 million CRV tokens worth over $22 million were stolen. However, BlockSec, a smart contracts audit platform, puts the figure at over $41 million.

Furthermore, Huobi Global estimated that losses from the attack were up to $52 million. The Seychelles-based crypto exchange added that it was closely monitoring the situation.

Crypto Hack Losses Surge YTD

Meanwhile, Finance Magnates reported that the amount of money lost through hacks and exploits in the cryptocurrency sector surged to the highest level year-to-date in July 2023. This is even as hackers stole $313 million through different kinds of scams and malicious exploits during the second quarter of the year.

Speaking about the hack at Curve, Zachary Townsend, the Co-Founder and CEO of Meanwhile, a provider of life insurance for the crypto economy, emphasized the importance of audits in preventing such incidents.

“In any case involving an exploit of crypto protocols, it’s important that audits are conducted very early on and preferably before formal launch,” Townsend told Finance Magnates. “Obviously, Curve is a reputable protocol and has a venerable track record in the DeFi industry. But, again, this incident should serve as a reminder that extensive testing and auditing are key.”

Also commenting, Brian D. Evans, the CEO and Founder of BDE Ventures, a web3 venture studio and advisory firm, noted that the most important thing going forward is to learn from the mistake, improve and do the utmost to ensure that such exploits never happen again. However, Evans pointed out that the sophistication and complexity of the DeFi ecosystem offer no 100% guarantee.

“The fact that all these protocols are composable with each other elevates the risk that an exploit in one protocol can quickly cascade into the other protocols, heightening the risk of mass liquidation events,” the CEO of BDE Ventures stated. “Even the most sophisticated of audits aren’t going to catch everything or be able to future-proof all protocols.”

New Zealand's FMI standards; ICE delists Bakkt's contracts; read today's news nuggets.

Upbit, a South Korean cryptocurrency exchange, has temporarily suspended deposits and withdrawals of CRV, the governance token of Curve Finance, a decentralized exchange for stablecoins. The move comes as hackers over the weekend exploited a ‘re-entrancy’ bug in Vyper to steal millions of dollars.

Curve Suffers Hack

Reentrancy is a type of vulnerability in smart contracts that enables attackers to make repeated calls to a protocol, creating the opportunity to steal funds from such smart contracts or execute other malicious actions. On the other hand, Vyper is a Python-like language for the Ethereum Virtual Machine (EVM), which is software that runs on Ethereum and handles the blockchain’s smart contracts system.

In an announcement released today (Monday), Upbit explained that it took the decision to halt the withdrawal of CRV in order “to ensure the safety of digital asset transactions.”

“Today, certain vulnerabilities have been discovered in some of the stablecoin pools associated with Curve (CRV). As a result, CRV is currently experiencing significant volatility. We advise exercising caution when considering any investments related to CRV,” Upbit stated.

Vyper announced the exploit earlier yesterday (Sunday), noting that certain versions of its language were vulnerable to ‘malfunctioning reentrancy locks’. Curve Finance also followed up with an update, saying the event affected 'a number of stable pools'.

According to Cointelegraph, Michael Egorov, Curve Finance’s CEO confirmed through a Telegram Channel that 32 million CRV tokens worth over $22 million were stolen. However, BlockSec, a smart contracts audit platform, puts the figure at over $41 million.

Furthermore, Huobi Global estimated that losses from the attack were up to $52 million. The Seychelles-based crypto exchange added that it was closely monitoring the situation.

Crypto Hack Losses Surge YTD

Meanwhile, Finance Magnates reported that the amount of money lost through hacks and exploits in the cryptocurrency sector surged to the highest level year-to-date in July 2023. This is even as hackers stole $313 million through different kinds of scams and malicious exploits during the second quarter of the year.

Speaking about the hack at Curve, Zachary Townsend, the Co-Founder and CEO of Meanwhile, a provider of life insurance for the crypto economy, emphasized the importance of audits in preventing such incidents.

“In any case involving an exploit of crypto protocols, it’s important that audits are conducted very early on and preferably before formal launch,” Townsend told Finance Magnates. “Obviously, Curve is a reputable protocol and has a venerable track record in the DeFi industry. But, again, this incident should serve as a reminder that extensive testing and auditing are key.”

Also commenting, Brian D. Evans, the CEO and Founder of BDE Ventures, a web3 venture studio and advisory firm, noted that the most important thing going forward is to learn from the mistake, improve and do the utmost to ensure that such exploits never happen again. However, Evans pointed out that the sophistication and complexity of the DeFi ecosystem offer no 100% guarantee.

“The fact that all these protocols are composable with each other elevates the risk that an exploit in one protocol can quickly cascade into the other protocols, heightening the risk of mass liquidation events,” the CEO of BDE Ventures stated. “Even the most sophisticated of audits aren’t going to catch everything or be able to future-proof all protocols.”

New Zealand's FMI standards; ICE delists Bakkt's contracts; read today's news nuggets.

About the Author: Solomon Oladipupo
Solomon Oladipupo
  • 1050 Articles
  • 40 Followers
About the Author: Solomon Oladipupo
Solomon Oladipupo is a journalist and editor from Nigeria that covers the tech, FX, fintech and cryptocurrency industries. He is a former assistant editor at AgroNigeria Magazine where he covered the agribusiness industry. Solomon holds a first-class degree in Journalism & Mass Communication from the University of Lagos where he graduated top of his class.
  • 1050 Articles
  • 40 Followers

More from the Author

CryptoCurrency

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}