The BNB Smart Chain (BSC) experienced a copycat attack that exploited a vulnerability in the Vyper programming language, similar to the attack on DeFi protocol Curve Finance. On July 30, blockchain security firm BlockSec reported that approximately $73,000 worth of cryptocurrency was stolen in three breaks on the BSC.
The vulnerability in Vyper versions 0.2.15, 0.2.16, and 0.3.0, used by many DeFi mining pools, caused a similar attack on Curve Finance's liquidity pool, resulting in losses of over $41 million, according to BlockSec's current estimates. Vyper is a widely used programming language in Web3 projects, originally designed for the Ethereum Virtual Machine, and its vulnerability could potentially affect other protocols using the affected versions.
Following the breach, both white hat and black hat hackers engaged in on-chain battles, trying to exploit or defend against further attacks and recover stolen funds. One white hat hacker, known as "c0ffebabe.eth," successfully obtained some funds and of fed to return them to the affected protocols. They sent an on-chain message on July 30, inviting the impacted projects to coordinate the return of the funds.
As of now, the wallet operated by c0ffebabe.eth has returned nearly 2900 ETH, worth more than $5 million, to Curve Finance. The hacker also transferred 1,000 ETH to a new wallet, likely the cold wallet mentioned earlier, possibly indicating their intent to securely hold and manage the recovered funds.
