A weekend exploit that targeted Curve Finance is shaking confidence in decentralized finance.
The DeFi protocol saw several of its liquidity pools exploited on Sunday as a result of a bug in smart contracts that use versions of the Vyper coding language. Attackers stole $24 million, and several stablecoin pools using Vyper contracts were drained due to a re-entrancy vulnerability.
The Curve DAO token has fallen over 12% in the past 24 hours to $0.63, according to CoinGecko. A researcher who goes by Ignas Defi Research said the plunge signaled a rupture of confidence in decentralized finance.
"Confidence in DeFi is definitely shaken, if a protocol that ran without problems for three years gets exploited, it makes us question how safe other blue-chip protocols like Aave, Compound, or even Uniswap are," Ignas told The Block. "There are already concerns that Uniswap v4, with its monolithic smart contract design, would be more risky if hacked, as all the money would be instantly vulnerable."
The hack was not only significant because of the millions of dollars at stake, but also because it exploited an unexpected vulnerability in the Vyper code.
"The worst thing about the Curve hack is this is not something a typical researcher would have looked for, they dug deep in our release history to find an exploitable issue for a large protocol with many millions at stake, this took a significant amount of time to identify," a leading Vyper language contributor said.
Curve Finance exploit raises wider concerns
Ignas said the exploit "raises concern that any protocol compiled with Vyper could be at risk." The researcher emphasized that hackers exploited the Vyper compiler, not Curve's smart contracts themselves.
"No one was focusing on the Vyper compiler itself, and this is concerning because now any protocol compiled with Vyper could be at risk," Ignas added.
Ignas highlighted the $100 million in liquidations on Aave V2, Frax and Abracadabra following the attack. "The liquidations could leave these protocols with bad debt, meaning that some users would not be able to withdraw their deposited capital."
The researcher added that several protocols that are reliant on Curve, like Frax and Alchemix, depend on CRV liquidity for their synthetix assets.
The hack could be a set back for institutional adoption of DeFi and its use at scale. The Curve Finance exploit comes on the back of a June report stating $204 million was drained via DeFi hacks and scams in the second quarter of 2023 alone.
"Institutions might get put off depositing significant capital in DeFi in the short term, for example, Project Mariana, involving the BIS Innovation Hub, Bank of France, Monetary Authority of Singapore, and Swiss National Bank, were exploring Curve v2 HFMM for on-chain wholesale CBDC pools. Will they be cautious to move forward following the hack? Time will tell," Ignas added.
Ignas said the exploit showed that changes to compilers need to be audited, which will be an expensive lesson for the industry.
"Definitely a dark day in DeFi, but the money lost and the attack vector are not lethal neither to Curve nor the DeFi ecosystem itself," Ignas added.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.