Several Liquidity Pools Exploited for Nearly $60 Million

Summary: #

On July 30, a hackers drained approximately $60 million from liquidity pools that decentralized exchanges uses to offer exchange of tokens. Affected protocols include CurveFi, MetronomeDAO, JPEGd and Alchemix.

Curve, as biggest funds lost from the breach, ranks among the most esteemed and reliable DEXes and relies on automated market makers in much the same way as Uniswap. Though it is still functioning, Curve has seen an exodus of funds since the hack.

Losses #

The attack drained $60 million in total from four projects. Detailed protocol-specific losses:

• CurveFi

  • $19,769,550 worth 10,560.14 ETH
  • $3,956,370 worth 7,193,401 CRV

• Alchemix

  • $13,663,900 worth 7,258.7 ETH
  • $9,076,167 worth 4,821.55 alETH

• JPEGd

  • $11,461,200 worth 6,106.65 ETH

• MetronomeDAO

  • $1,625,950 worth 866.55 ETH

Total Value Locked in the CurveFi slipped from $3.3 billion to $2.3 billion, according to DeFi Llama. Its governance token, CRV, lost about 40% of its value in the weeks following the attack.

Timeline: #

• July 30, 2023:

  13:10 UTC: First exploit, on pETH/ETH pool, begins.

  14:50 UTC: Attack on msETH/ETH pool.

  15:34 UTC: Attack on alETH/ETH pool.

  16:44 UTC: Vyper reports vulnerability, followed immediately by Curve identifying targeted pools other than CRV/ETH.

  19:16 and 19:30 UTC: Hacker pulls WETH and then CRV from pool

• July 31, 2023, 09:49 UTC: c0ffeebabe.eth makes return to MetronomeDAO.

• August 4, 2023, 10:22 PM UTC: JPEG’d confirms return of funds from the hacker.

• August 06, 2023, 04:10 PM UTC: CurveFi has offered a $1.85 million bounty to anyone who can identify the hacker.

• August 11, 2023: Curve puts out post-hack safety report, but also says 70% of funds affected have been recovered.

• August 18, 2023: MetronomeDAO releases its own post-mortem.

Attackers: #

The attack to the vulnerable pools came from several parties.

• 0xdce5d6b41c32f578f875efffc0d422c57a75d7d8 returned stolen funds to Alchemix, accompanied with an onchain message about not wanting to destroy the project.

• c0ffeebabe.eth, an owner of MEV bot that frontran the attackers, returned much of the funds to CurveFi and to MetronomeDAO

• 0x6ec21d1868743a44318c3c259a6d4953f9978538 returned most of the funds to the JPEGd protocol

• 0xb1c33b391c2569b737ec387e731e88589e8ec148 holding $16 million as of August 27, 2023, which was stolen from the CurveFi.

Security Failure Causes: #

• Vyper Compiler Bug: Vyper, a compiler for the Ethereum Virtual Machine, contained a vulnerability in versions from 0.2.15 to 0.3.0 that did not properly lock up a smart contract with a Reentrancy Guard, which was intended to prevent the execution of a malicious sequence of functions at one transaction.