Over $70M Stolen From Multiple DeFi Protocols Due To Vyper Code Bug

Multiple DeFi protocols are reeling after vulnerabilities identified with the Vyper smart contract language led to hackers draining over $70M from Curve, Alchemix, and JPEG’d.

Some web3 community members are recommending that users withdraw all assets from Curve pools.

On July 30, Vyper, the team behind a Python-based smart contract language compatible with EVM networks, revealed that the latest versions of its compiler did not correctly implement safeguards against reentrancy attacks. A reentrancy attack is a malicious maneuver in which an attacker repeatedly calls a function within a smart contract before its previous function call is completed, exploiting the contract's logic to drain funds or manipulate data.

Curve did not immediately respond to The Defiant’s request for comment but published an official statement confirming the exploit.

Curve DAO’s CRV token is down 15% in the last 24 hours after posting a low near $0.60, according to CoinGecko. However, data from DexScreener shows the token crashed as much as 86% on decentralized exchanges amid the drama.

Millions In Losses

Taylor Monahan, a MetaMask developer, estimates DeFi protocols have lost around $70M so far. However, Monahan noted that significant assets were secured by white-hat hackers and MEV bots, suggesting some of those funds may be recoverable.

The losses include more than $45M in liquidity stolen from DeFi protocols Alchemix, Metronome, and JPEG’d, plus $25M drained from Curve’s CRV/ETH pool, according to Bankless, a web3 media outlet.

Transaction data suggests that the $11M attack on JPEG’d, an NFT lending protocol, was front-run by an MEV bot.

Contagion Risk

CRV’s extreme volatility may not have passed, according on-chain data indicating that the attackers have not yet begun to offload their $4.5M worth of ill-gotten CRV.

The incident has renewed concerns surrounding the DeFi borrowing activities of Curve founder Michael Egorov. Egorov has taken out sizable loans against his more than $100M worth of CRV on top lending protocols including Aave, Fraxlend, Abracadabra, and Inverse Finance.

Egorov responded by paying down some of his debts and increasing the collateral assets supplied, pushing his liquidation price down to $0.37 per CRV on Aave. However, if liquidated, Egorov’s positions would likely accrue bad debt for Aave and other lending protocols as the on-chain liquidity for CRV is insufficient to liquidate Egorov’s position.

Last month, Gauntlet, a risk management company, proposed that Aave freeze its CRV market to mitigate the risks posed by what is now a $59.67M loan against $182M worth of CRV on the protocol. The proposal was rejected by Aave’s community.

Lending Rates Spike

DeFi lenders have responded to the incident by pulling funds from Aave and other protocols, spiking borrowing fees in the process.

Aave’s USDC pool is nearly 93% utilized, driving lending rates up to 22.4%. USDT is also at 89.5% utilization, with borrowers paying interest of nearly 38% — placing further pressure on Egorov’s nearly $60M of borrowed USDT.

Despite the fallout and risks posed by Curve’s exploit, ChainLinkGod, a community ambassador for oracle provider Chainlink, believes things could have been much worse for DeFi if Curve’s CRV/ETH pool was used as an on-chain price oracle throughout the sector, instead of Chainlink’s price feed which aggregates pricing across various centralized and decentralized exchanges.

“Had Aave v2 or other DeFi lending protocols used the (now drained) CRV/ETH Curve pool as an on-chain oracle, they would have gotten completely rekt with bad debt,” they tweeted. “Quite scary to think about.”