Curve Finance, a significant player in the decentralized finance (DeFi) protocol, was threatened with near-collapse due to a critical vulnerability in the Vyper programming language.
This exploit risked nearly $100 million in digital assets, but a surprising reprieve came from a source normally associated with traditional finance — a centralized exchange price feed.
The issue was rooted in specific versions of Vyper which led to a malfunctioning reentrancy lock. This flaw facilitated a sizable drain from four Curve pools, plummeting the value of Curve’s native token (CRV) to as low as $0.086 on decentralized exchanges.
While it may seem antithetical to DeFi’s core principles, the CEX price feed held the CRV price at $0.60 on centralized exchanges, preventing the token’s total collapse. Curve’s pools use Chainlink’s oracle system, which integrates price feeds from several sources, including CEXs.
❤💛💚💙
If #ChainLink team listened to Chris Blec, the whole Curve protocol would be at ZERO right now.
ChainLink price feed includes CEXes.
CRV hit $0.086c DEX, but was $0.60c CEX.#LINK team have a multi-sig for now, and plan to decentralize when the Bug-Eaters take over pic.twitter.com/tE6gFgPF9J
— yourfriendSOMMI ❤️💛💚💙 (@yourfriendSOMMI) July 30, 2023
The price feeds from centralized exchanges, part of Chainlink’s oracle system used by Curve’s pools, played a key role in this incident.
Binance, one of the major players in the cryptocurrency exchange realm, emerged unscathed from the Vyper vulnerability. CEO Changpeng Zhao, while highlighting the importance of keeping code libraries updated, pointed out the irony of a centralized system coming to the rescue of a decentralized protocol:
“It’s important to stay up-to-date with code libraries, apps and OS. And stay SAFU [Secure Asset Fund for Users].”
The exploitable issue within Vyper’s earlier versions, 0.2.15, 0.2.16 and 0.3.0, is believed to be at least 1.5 years old, affecting Curve’s aETH/ETH, msETH/ETH, pETH/ETH and CRV/ETH pools. The meticulous planning and resources invested in the attack led a Vyper program contributor to suggest the possibility of a state-sponsored effort.
The market has been contracting, which means opportunities for bugs is also contracting, which means black hats are looking for fresh, untapped sources to explore.
I think that fresh, untapped source is now searching for compiler 0 days
That’s terrifying for a number of reasons
— señor doggo 🏴🏴☠️ in his wartime ceo era (@fubuloubu) July 31, 2023