Curve Finance, a popular decentralized exchange (DEX), is known for facilitating swaps between similar assets such as Ethereum and Staked Ethereum, or Tether's USDT and Circle's USDC. The DEX can serve as an arbitrage tool for traders if the prices of these assets diverge . Initial reports indicated a breach of over $24 million on the platform on Sunday. However, as the attack unfolded, blockchain security firm PeckShield revised the estimated stolen amount to $52 million.
The Curve Finance team revealed that three token liquidity pools paired with Ethereum (ETH) and the Curve governance token CRV, as well as with Alchemix (alETH) and Metronome Synth (smETH), were "hacked" due to "issues in the Vyper compiler version." Vyper is a programming language utilized for writing smart contracts on the Ethereum blockchain. Certain older versions of Vyper have been found to be susceptible to exploitation, as mentioned by the core team of the programming language.
The team behind Curve Finance highlighted another implication arising from the use of Vyper-based liquidity pools on the layer-2 solution Arbitrum. The Tricrypto pool, which involves USDC, wBTC, and ETH, might also be affected. Although no profitable exploitation has been en identified by security experts and Vyper developers, the pools are still considered vulnerable. As a precaution, liquidity providers are advised to exit the affected pool.
Additionally, Ellipsis, another decentralized exchange (DEX) based on the Binance Smart Chain (BNB), reported a vulnerability in the stable exchange pool on the BNB chain. South Korean cryptocurrency exchange Upbit has taken preventive measures by temporarily suspending deposits and withdrawals of CRV tokens.
As the situation continues to evolve, Upbit emphasized its ongoing monitoring of the events and urged its members to be cautious about the potential heightened price volatility of the Curve token (CRV). It remains a critical time for decentralized finance (DeFi) plat forms, as Vulnerabilities in smart contracts and programming languages could lead to substantial losses for users and liquidity providers.
