Over the weekend, Curve Finance, a prominent decentralized finance (DeFi) platform, fell victim to a hack, sparking unease among the crypto community. Although the damage was deemed manageable, the incident took an alarming turn that calls attention to potential future threats.
Once again, the DeFi landscape suffered an intrusion, this time affecting Curve Finance, a platform known for its solidity and security. On Sunday, a hacker successfully exploited a vulnerability in the code of various liquidity pools, resulting in the theft of $24 million worth of tokens. The compromised pools involved different variants of ether, which are tokenized representations of Ethereum and commonly utilized in various smart contracts, such as staking or lending. Curve Finance’s liquidity pools aim to provide stable price tracking for these tokenized ethers.
The targeted assets in the hack were aIETH, msETH, and pETH, which, though not major cryptocurrencies, were significant enough to tempt the hacker into executing what is regarded as one of the most intricate hacks in recent times.
The breach originated from a bug in Vyper, a programming language for smart contracts written in Python. Termed as a “zero-day exploit,” this particular vulnerability had not been previously identified and was only publicly disclosed the day before the attack. The exploit affected certain outdated versions of Vyper, notably version v0.3.0 from October 2021.
A Vyper developer expressed concern over the hack, highlighting that the vulnerability was not commonly known and might not have been on the radar of typical analysts. The process of discovering and exploiting this weakness likely took weeks or even months, suggesting that a coordinated effort, possibly by a small group or even state-funded hackers, was involved due to the extensive resources invested in the endeavor.
Interestingly, despite the significant breach of $24 million, the loot from recent hacks has seen a considerable decline. During the DeFi and NFT hype, hackers managed to steal hundreds of millions, if not billions of dollars. However, the current climate presents a challenge, as hackers now need to work harder to siphon off comparable sums that would have been considered substantial just two years ago. This might come as a relief, but the anonymous Vyper developer finds it disturbing.
With the market contracting and opportunities for bugs decreasing, hackers are turning their attention to fresh and pristine sources to exploit. The focus appears to be shifting towards identifying zero-day exploits in compilers for smart contracts. Only two compilers are widely used: Solidity and Vyper, with Vyper occupying a niche position. Consequently, there could be numerous smart contracts compiled with older versions of Solidity that may still be vulnerable to zero-day exploits.
In essence, the Ethereum blockchain could be likened to a sea filled with undiscovered icebergs, waiting for a Titanic moment. While few incentives currently exist to uncover and address these potential vulnerabilities, hackers continue their relentless pursuit of opportunities amidst the frenzy of new token and protocol creations.