More than $24m in cryptocurrencies was hacked from liquidity pools on the automated market maker platform Curve on Sunday. The liquidity pools – which are smart contracts that hold cryptos and can provide liquidity to crypto markets in without financial intermediaries – were compromised by ‘a bug’.
The hackers managed to leverage a vulnerability within Vyper, an alternative programming language for smart contracts.
“A number of pools using Vyper 0.2.15, 0.2.16 and 0.3.0 have been exploited as a result of a malfunctioning reentrancy lock related to a Vyper bug. All affected pools have been drained or white hacked and the team is assessing the situation with affected teams,” Curve said.
Pools that were targeted held the alETH/ETH (Alchemix ETH/Ethereum), msETH/ETH (Metronome Synth ETH/Ethereum), pETH/ETH (PumpETH/Ethereum) and CRV/ETH (Curve DAO Token/Ethereum) currencies.
NTF lending protocol
One of the hacked protocols was the NFT lending protocol JPEG’d, which, according to decentralized finance security firm Decurity, lost over $11m worth of crypto in the attack.
“There was an attack on the pETH-ETH curve pool. The vault contracts allowing to borrow against NFTs are safe and still running solidly. NFTs and the treasury funds are safe”, JPEG’d said. “The issue seems to be related to the curve pool.”
“A number of pools using Vyper 0.2.15, 0.2.16 and 0.3.0 have been exploited as a result of a malfunctioning reentrancy lock related to a Vyper bug.”
Curve
Later, Alchemix and MetronomeDAO were also found to have had assets stolen, $13.6m and $1.6m respectively. Alchemix is reportedly looking into the effects of the hack, and ensured users that the funds in their vaults are safe. Yet, providing liquidity into the ALETH/ETH curve is still unsafe they said.
And MetronomeDAO’s investigation pointed to that the recent activity on the msETH-ETH Curve pool “appears to be part of a broader set of exploits targeting certain Curve pools”.
Other remaining pools are at Curve platform are said to be safe and unaffected by the bug. Curve said that the investigation is still going in, but that any project that is relying on Vyper versions 0.2.15, 0.2.16 and 0.3.0 should immediately contact them.