Advertising revenue keep this site going. We do not actively endorse ads served to us. DYOR. Please use your due diligence while on this site. We also do not get information from our visitors.
Curve Finance, a significant player in the decentralized finance (DeFi) protocol, was threatened with near-collapse due to a critical vulnerability in the Vyper programming language.
This exploit risked nearly $100 million in digital assets, but a surprising reprieve came from a source normally associated with traditional finance — a centralized exchange price feed.
The issue was rooted in specific versions of Vyper which led to a malfunctioning reentrancy lock. This flaw facilitated a sizable drain from four Curve pools, plummeting the value of Curve’s native token (CRV) to as low as $0.086 on decentralized exchanges.
While it may seem antithetical to DeFi’s core principles, the CEX price feed held the CRV price at $0.60 on centralized exchanges, preventing the token’s total collapse. Curve’s pools use Chainlink’s oracle system, which integrates price feeds from several sources, including CEXs.
❤💛💚💙
If #ChainLink team listened to Chris Blec, the whole Curve protocol would be at ZERO right now.
ChainLink price feed includes CEXes.
CRV hit $0.086c DEX, but was $0.60c CEX.#LINK team have a multi-sig for now, and plan to decentralize when the Bug-Eaters take over pic.twitter.com/tE6gFgPF9J
— yourfriendSOMMI ❤️💛💚💙 (@yourfriendSOMMI) July 30, 2023
The price feeds from centralized exchanges, part of Chainlink’s oracle system used by Curve’s pools, played a key role in this incident.
Binance, one of the major players in the cryptocurrency exchange realm, emerged unscathed from the Vyper vulnerability. CEO Changpeng Zhao, while highlighting the importance of keeping code libraries updated, pointed out the irony of a centralized system coming to the rescue of a decentralized protocol:
“It’s important to stay up-to-date with code libraries, apps and OS. And staySAFU [Secure Asset Fund for Users].”
The exploitable issue within Vyper’s earlier versions, 0.2.15, 0.2.16 and 0.3.0, is believed to be at least 1.5 years old, affecting Curve’s aETH/ETH, msETH/ETH, pETH/ETH and CRV/ETH pools. The meticulous planning and resources invested in the attack led a Vyper program contributor to suggest the possibility of a state-sponsored effort.
The market has been contracting, which means opportunities for bugs is also contracting, which means black hats are looking for fresh, untapped sources to explore.
I think that fresh, untapped source is now searching for compiler 0 days
That’s terrifying for a number of reasons
— señor doggo 🏴🏴☠️ in his wartime ceo era (@fubuloubu) July 31, 2023
Share this article
URL Copied
Advertisements
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
Ethereum Watch does not make any guarantee or other promise as to any results that may be obtained from using our content. To the maximum extent permitted by law, Ethereum Watch disclaims any and all liability in the event any information, commentary, analysis, opinions, advice and/or recommendations prove to be inaccurate, incomplete or unreliable, or result in any investment or other losses.
Content contained on or made available through the website is not intended to and does not constitute legal advice or investment advice and no attorney-client relationship is formed. Your use of the information on the website or materials linked from the Web is at your own risk.
No one should make any investment decision without first consulting his or her own financial advisor and conducting his or her own research and due diligence.
