Hackers have zeroed in on a vulnerability in the Vyper programming language — a well-known tool widely used for developing Web3 projects that target the Ethereum Virtual Machine (EVM) — on two significant DeFi protocols: BNB Smart Chain and Curve Finance.
Vyper is known for its similarities to Python, making it a common starting point for Python developers venturing into DeFi. The attacks in question exploited a flaw in the reentrancy lock of Vyper versions 0.2.15, 0.2.16, and 0.3.0, leading to multiple breaches across different protocols.
The losses have been significant across several platforms. On the BNB Smart Chain (BSC), there was reportedly multiple attacks due to the reentrancy lock vulnerability found in specific versions of Vyper (0.2.15, 0.2.16, 0.3.0) reported on July 30. Blockchain security firm BlockSec reported that these attacks led to a theft of around $41 million worth of cryptocurrencies.
The sheet updated. Losses have already ~$41m!https://t.co/lCaS4uEPzm https://t.co/stQYNJFS7y pic.twitter.com/P7jG8NHnV4
— BlockSec (@BlockSecTeam) July 30, 2023
Curve Finance, a DeFi protocol, suffered even more on the same day. Several of its stable pools using the afflicted Vyper versions were exploited, with losses exceeding $47 million. A total of 32 million CRV tokens worth over $22 million were drained from the swap pool, as confirmed by Curve on Twitter.
Someone drained 32 million $CRV from the swap pool, 0x8301ae4fc9c624d1d396cbdaa1ed877821d7c511 pic.twitter.com/zQYivclTqO
— Andrew T (@Blockanalia) July 30, 2023
The reentrancy lock is a critical component that should prevent multiple functions from being executed simultaneously. When correctly implemented, this guard would have thwarted the attackers. But in the case of the Vyper versions, the reentrancy guard was not implemented correctly, making a number of DeFi pools susceptible to attacks.
Several other DeFi projects have also reported losses, such as Ellipsis, which reported an unspecified amount in BNB stable pools.
A small number of stablepools with BNB using an old Vyper compiler have been exploited.
We are assessing the situation and will update the community on any further findings. https://t.co/pxkhRRSr5w
— Ellipsis (@Ellipsisfi) July 30, 2023