In a recent turn of events, the decentralized stablecoin protocol Curve faced a significant reentrancy attack resulting in severe losses. Here, MetaTrust Labs presents a security analysis of the incident and provides essential security recommendations.

Event Recap

According to Curve Finance's official Twitter account, on July 31, 2023, some stablecoin pools (alETH/msETH/pETH) written using Vyper version 0.2.15 were subjected to a reentrancy attack. Curve Finance clarified that this attack was caused by a malfunctioning reentrancy lock in Vyper 0.2.15 and solely affected pools using pure ETH. Presently, Curve is assessing the extent of the damage, ensuring the safety of other pools.

Based on MetaTrust Labs' analysis, this vulnerability was introduced between August and October 2021, primarily due to the Vyper compiler versions 0.2.15/0.2.16/0.3.0. The root cause of the exploit was a compiler bug that resulted in ineffective reentrancy protection in the generated bytecode.

As per on-chain data, the Curve Finance stablecoin pool hack has led to cumulative losses of $52 million in projects like Alchemix, JPEG’d, and the CRV/ETH pool. The Curve Finance native token, CRV, has also taken a hit, experiencing a drastic intraday drop of over 15%.

Root Causes

Curve Finance fell victim to this attack due to the use of Vyper, a smart contract programming language, with version 0.2.15. Unfortunately, this version contained a bug known as "malfunctioning reentrancy locks," which attackers exploited to cause the losses. The vulnerability faced by Curve Finance is categorized as a Language Specific flaw.

Language Specific vulnerabilities arise from defects or incompatibilities in the programming language or compiler itself. These types of vulnerabilities are challenging to detect and prevent since they result from issues with the underlying technical platform rather than developer oversight or logical errors. Moreover, such vulnerabilities may affect multiple projects or contracts utilizing the same language or compiler.

Vyper, as a Python-based smart contract programming language, aims to provide higher security and readability. It claims to be "security-first" and omits certain features, such as classes, inheritance, modifiers, and inline assembly, which could introduce security risks. Nevertheless, Vyper is not without flaws and may still have bugs or vulnerabilities that can impact contract security. In addition to the reentrancy lock fault faced by Curve Finance, Vyper has previously encountered issues like array overflows, integer overflows, and storage access errors.

Security Suggestions

In response to the reentrancy attack on Curve Finance, several measures have been taken or proposed. Here are some potential security actions Curve could take:

Conclusion

The reentrancy attack on Curve Finance serves as a regrettable security incident and a thought-provoking lesson. In the realm of DeFi, security always takes precedence, and project teams must continually raise their awareness and capabilities to combat potential threats. In this ever-evolving landscape, even the smallest detail can become an attacker's point of entry.

Follow Us

Twitter: @MetaTrustLabs

Website: metatrust.io