Curve Finance factory pools targeted due to reentrancy vulnerability

Quick Take

  • Factory pools on Curve Finance faced a reentrancy vulnerability, a security flaw allowing potential funds drain from interrupted contract calls.
  • Large outflows were linked to a series of interactions starting with a flashloan, exploiting the reentrancy vulnerability in specific Vyper compiler versions.

Factory pools on Curve Finance have been confronted with a reentrancy vulnerability, a critical security flaw that arises when a contract's external call is interrupted and called back before its completion, potentially allowing attackers to maliciously drain funds or exploit the contract's logic. This vulnerability led to significant outflows across various associated pools, amounting to over $26 million. 

According to security analysts at Beosin, the attacker targeted Curve's factory pools of multiple projects: JPEGd, Metronome and Alchemix.

JPEGd’s pETH-ETH factory pool on Curve saw an outflow of $11.4 million. Following closely, the Metronome’s sETH-ETH pool saw a movement of $1.6 million. However, it was the Alchemix’s alETH-ETH pool that witnessed the most significant activity, with a substantial $13.6 million being transacted. 

So far, overall asset outflows related to this security incident on Curve pools have crossed $41 million, according to estimates from security firm BlockSec.

Curve Finance is a decentralized exchange (DEX) optimized for efficient stablecoin trading. Over time, it has expanded its offerings to cater to other types of assets. Factory pools describe a system where new liquidity pools can be created using a standardized framework or “factory.” Instead of the Curve team manually creating each pool, this system offers a more permissionless approach, enabling projects or individuals to launch their own liquidity pools leveraging Curve’s infrastructure.

Vyper version vulnerabilities

Today’s outflows involved a sequence of interactions. They began with a flashloan, which appeared to exploit the reentrancy vulnerability associated with certain older compiler versions of Vyper – the smart contract programming language used to write the code for these factory pools, as explained by Igor Igamberdiev, the head of research at Wintermute. 

Vyper has acknowledged that its versions 0.2.15, 0.2.16, and 0.3.0 are vulnerable to malfunctioning reentrancy locks, with investigations ongoing.

While the immediate reaction was dominated by concerns of a massive security breach, on-chain data suggests that MEV bots might have front-run some of these transactions. This has led to speculation that whitehat hackers could be involved.

"We're running a large white hat rescue operation. Please reach out if you think you're affected as a project," a security researcher who goes by the pseudonym ‘pcaversaccio’ announced on Twitter. 

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.