Earlier this month, the decentralized finance (DeFi) protocol Curve was exploited for nearly $600 million worth of stablecoins. This incident highlighted the ongoing risks and vulnerabilities in the fast-moving world of DeFi.
For those unfamiliar, Curve is an exchange platform that lets users trade between different stablecoins pegged to the US dollar. It is one of the largest DeFi protocols, with billions locked in its smart contracts.
The exploit involved a previously undiscovered bug in Curve's code which allowed an attacker to manipulate prices and extract funds. Specifically, the hacker took out a flash loan of nearly $550 million in the stablecoin USDT and used it to manipulate Curve's pools and extract other stablecoins at below-market prices.
This exploit reveals a few important points about risks in crypto and DeFi:
Smart contract risks are real. Like any software, smart contracts can contain bugs and flaws that attackers can exploit. Rigorous auditing is critical before launching and interacting with these codes.
Hot wallets are vulnerable. The exploit targeted hot wallets connected to Curve's protocol. Hot wallets are convenient but less secure than offline cold storage. Avoid keeping too many assets in hot wallets.
Counterparty risk exists. When interacting with DeFi protocols, users face counterparty risk if the developers or governance makes a mistake. Always assess risks before supplying protocols.
While disturbing, this exploit is an opportunity to improve. Developers are auditing code, governments are providing oversight to DeFi, and users are learning how to interact safely with these tools. Crypto still holds great promise, but thoughtful precautions are necessary.
On July 30th, Curve Finance suffered hacks on several of its liquidity pools, resulting in over $70 million in losses. This was due to a vulnerability in Vyper, a third-party Python-like programming language for Ethereum smart contracts used by Curve. Vyper had issues where attackers could trick the contracts into incorrectly calculating balances, enabling them to steal funds held in the protocols.
With over 75% of funds already returned, some of the stolen funds were front-run by "white hat" hackers and have since been given back. One prolific MEV (Maximum Extractable Value) bot operator "c0ffeebabe.eth" was involved, having returned funds from other exploits before.
The hacker who attacked the NFT lending platform JPEG'd, sparking a series of other attacks, returned the funds with an encrypted message stating they were not scared of being tracked but did not want to ruin the project. The company still has an active $1.85 million bounty for anyone who can uncover the hacker's identity to recover the remaining funds.
One concern that worried the DeFi ecosystem was contagion risk, especially from lending protocol Aave, which appeared at risk from Curve's CEO's borrowed position. However, the CEO has since added collateral to Aave and paid down nearly $4 million in debt, stabilizing his position.
In the end
The DeFi ecosystem looks to have returned to its healthy state, thanks to the support of its community and various volunteers that worked together to ensure the recovery of funds, although an exploiter remains at large despite the community bounty.