Curve Finance swimming pools exploited in over $24M attributable to reentrancy vulnerability

A number of steady swimming pools on Curve Finance utilizing Vyper have been exploited on July 30, with losses reaching $24 million on the time of writing. Based on Vyper, its 0.2.15, 0.2.16 and 0.3.0 variations are susceptible to malfunctioning reentrancy locks. 

“The investigation is ongoing however any mission counting on these variations ought to instantly attain out to us,” Vyper wrote on X.

We’re operating a big white hat rescue operation. Please attain out in case you assume you are affected as a mission. https://t.co/tssWcRHg35

— sudo rm -rf –no-preserve-root / (@pcaversaccio) July 30, 2023

Based on preliminary investigation, some variations of the Vyper compiler don’t accurately implement the reentrancy guard, which prevents a number of features from being executed on the similar time by locking a contract. Reentrancy assaults can probably drain all funds from a contract.

Quite a few decentralized finance initiatives have been affected by the assault. Decentralized trade Ellipsis reported {that a} small variety of steady swimming pools with BNB have been exploited utilizing an previous Vyper compiler. Alchemix additionally witnessed $13.6 million outflow, together with $11.4 million exploited on JPEGd’s.

Curve Finance is a DeFi protocol that permits the decentralized trade (DEX) of stablecoins inside Ethereum.

This can be a growing story, and additional data will likely be added because it turns into accessible.