Introduction:

Less than a week after a substantial breach of multiple liquidity pools on Curve Finance, which led to losses in the millions, the hacker responsible returned a significant portion of the pilfered funds. This gesture followed an encrypted message indicating their motivation. Simultaneously, Curve Finance initiated a bounty program to unmask the hacker. This event has raised concerns about the reliability of the Vyper programming language and its implications for the wider DeFi (Decentralized Finance) ecosystem.

Return of Funds and Encrypted Message:

The hacker responsible for exploiting several liquidity pools within Curve Finance returned a considerable sum of the stolen assets, totaling around $12.7 million in alETH and ETH to Alchemix. This move was accompanied by a cryptic message explaining their rationale for the refund. A notable portion of the stolen funds, valued at approximately $10 million, was also returned to the NFT lending protocol, JPEG’d.

Curve Finance’s Response:

Curve Finance announced via Twitter on August 6, 2023, that the hacker had not returned the entirety of the stolen funds within the designated timeframe. Consequently, the company extended a bounty offer of $1.85 million to anyone who could uncover the identity of the hacker.

Origin of the Hack:

The breach that impacted multiple liquidity pools on Curve Finance occurred on July 30, 2023, resulting in substantial losses of around $70 million and triggering concern throughout the DeFi community. The vulnerability that led to these hacks was attributed to Vyper, a Python-based programming language used for Ethereum smart contracts within Curve and other decentralized protocols. Although some of the stolen funds have been recovered by ethical hackers and MEV (Miner Extractable Value) bot operators, the total loss might be lower than initially estimated.

Exploitation Mechanism:

Vyper’s similarities to Python have made it appealing to developers entering the DeFi space. However, vulnerabilities within versions 0.2.15, 0.2.16, and 0.3.0 of Vyper exposed certain smart contracts to re-entrancy attacks. These attacks involve manipulating contract calculations to siphon off funds held by the affected protocols.

Sequence of Exploits:

The breach initiated with an attack on the pETH-ETH pool of NFT lending protocol JPEG’d, resulting in a theft of $12 million. Subsequently, an MEV bot pre-emptively carried out a similar transaction, indicating a potential white hat effort to thwart the attack. Following this, a series of attacks targeted other pools, including alETH-ETH, sETH-ETH, and CRV/ETH. Curve’s CEO confirmed significant losses from its CRV tokens.

Role of MEV Bots:

MEV bots were central to front-running attempted hacks on Curve Finance. In some instances, these operators acted ethically by returning funds acquired through malicious transactions. Notably, c0ffeebabe.eth, a prolific white hat hacker, successfully exploited and later restored substantial sums from Curve’s pools and other affected protocols.

Aftermath and Concerns:

Upon the revelation of the breaches, CRV experienced a 5% decline. This decline, coupled with the risk of malicious actors selling stolen CRV tokens in a less liquid market, raised fears of wider ramifications for DeFi protocols. Notably, the AAVE lending protocol faced the possibility of debt due to Egorov’s significant borrow position backed by CRV token collateral.

Path Forward and Conclusion:

Curve Finance has yet to outline a comprehensive recovery plan, but it has advised users to withdraw funds from Vyper-based pools. The incident underscores the need for robust programming languages and security measures within the DeFi ecosystem. The vulnerabilities highlighted by the hack have prompted critical examination and discussions about the future of smart contract languages and security mechanisms to prevent such breaches in the future.