August 4 2023 • 7 minutes
Recently, the world of decentralized finance (DeFi) was shaken by a significant security loophole discovered in Vyper, a common smart contract programming language. This problem led to a severe security breach on July 30, where cybercriminals made off with millions of dollars worth of cryptocurrencies.
PSA: Vyper versions 0.2.15, 0.2.16 and 0.3.0 are vulnerable to malfunctioning reentrancy locks. The investigation is ongoing but any project relying on these versions should immediately reach out to us.
— Vyper (@vyperlang) July 30, 2023
For those who may not know, smart contracts are digital contracts used in blockchain technology, and Vyper is a programming language designed specifically for these smart contracts on the Ethereum Virtual Machine (EVM). Being Python-like, Vyper is quite user-friendly and straightforward, often used by developers familiar with Python language.
The incident that happened is significant as it exposes the potential vulnerabilities even in secure systems, reminding us of the constant need for enhanced safety measures in the rapidly growing world of DeFi. The consequences of this exploit serve as a wake-up call for the DeFi community and highlight the need for stricter security protocols.
At the heart of this incident is Vyper, a contract-oriented programming language engineered for the Ethereum Virtual Machine (EVM). As a Python-like language, Vyper shares notable similarities with Python, making it an approachable choice for developers familiar with this popular language and venturing into the web3 space.
The key objective for Vyper was the aspiration to rectify security loopholes and enhance smart contract development. In a bid to this end, it emphasizes simplicity and readability in its syntax, which is poised to mitigate the risk of errors and potential vulnerabilities.
By virtue of its user-friendly nature and the seamless execution it offers on the EVM, Vyper has cemented its place as a trustworthy language for crafting secure, auditable smart contracts within the proliferating world of DeFi. Some of the most trusted projects using Vyper include YFI, Curve, and Alchemix.
The security breach that occurred took advantage of a specific vulnerability in the Vyper language, which became a high-risk factor for DeFi protocols leveraging the affected versions. The exploit was orchestrated through a type of vulnerability called a reentrancy attack made possible by a bug within the Vyper compiler.
A reentrancy attack takes place when an external call to another contract is made before the first call is resolved, thereby allowing the attacker to reenter the first function and exploit the incomplete state change.
While many projects were safe due to the fact they did not use specific versions of Vyper that were vulnerable to the attack, others were not as lucky. The malicious actor leveraged the reentrancy attack to exploit multiple liquidity pools on the Curve Finance protocol. The pools targeted were aETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH, leading to significant capital drains.
As a result of an issue in Vyper compiler in versions 0.2.15-0.3.0, following pools were hacked:
— Curve Finance (@CurveFinance) July 31, 2023
crv/eth
aleth/eth
mseth/eth
peth/eth
Another pool potentially affected is arbitrum’s tricrypto. Auditors and Vyper devs could not find a profitable exploit, but please exit that one
This event evoked concerns within the DeFi community, given the potential risk of similar attacks on all pools containing Wrapped Ether (WETH). Here at De.Fi we jumped into action posting updates as information flowed in via our De.Fi Security account:
🚨 JUST IN: @CurveFinance LP was Exploited
— De.Fi 🛡️ Web3 Antivirus (@DeDotFiSecurity) July 30, 2023
~$19M was lost due to the hack of CRV/ETH LP
Stolen assets:
• 7680 $ETH
• 7,2M $CRV
Eventually, $CRV dropped 82% in pricehttps://t.co/Pq8P2rIWi6 pic.twitter.com/oTRzgED7CR
The aftermath of the attack had profound implications for numerous DeFi projects. Alchemix’s alETH-ETH pool was stripped of a staggering $13.6 million. The pETH-ETH pool belonging to PEGd lost $11.4 million, and Metronome’s sETH-ETH pool was also hacked, leading to a loss of $1.6 million. Furthermore, over 32 million Curve DAO (CRV) tokens, equivalent to over $22 million, were illicitly drained.
Ellipsis, a decentralized exchange, reported that several stable pools with BNB had been compromised using the faulty Vyper compiler. These alarming developments triggered a wave of instability in the market, with CRV’s price experiencing a sharp 12% decline.
The Vyper exploit has cast a spotlight on the less-talked-about world of smart contract programming and highlights the perpetual need for enhanced security measures in the DeFi ecosystem. It underscores the stark reality of the risks associated with smart contract programming languages, making it clear that continuous updating, auditing, and patching are crucial to protecting the integrity of DeFi protocols.
In a postmortem whitehat rescue effort participant and OtterSec founder Robert Chen wrote:
“This bug could have been caught with a unit test. Formal verification is very useful for many bug classes, but I’m not convinced it’s as useful for relatively simple, non-optimizing compilers.
It’s important to note that this bug was patched since November 2021.
I think this Vyper 0day is less about the skill of the Vyper team or the language itself but more about *processes*.
— philogy (@real_philogy) July 31, 2023
The bug was a fixed many versions of Vyper ago, the actual oversight was not realizing the potential impact to projects at the time it *was* fixed.
Unfortunately, public goods get easily forgotten. With immutable contracts, projects can have implicit dependencies on code written years ago. Protocol developers and security experts should stay up to date on security developments across the entire execution stack.”
While the attack resulted in colossal financial losses, some funds were successfully recovered and returned. Over $6.8 million has been returned so far, offering some relief to the beleaguered DeFi community. Negotiations are also currently underway with the exploiter to incentivize the return of more funds:
Dear hacker, you’ve got an incoming messagehttps://t.co/ZKJjrO65PX
— Curve Finance (@CurveFinance) August 3, 2023
Nonetheless, this event has undoubtedly brought to the fore the critical importance of implementing robust security measures in the DeFi space. The harsh lesson is that there is a necessity for comprehensive stress testing and continuous auditing. With the DeFi sphere rapidly evolving, developers and protocols must remain vigilant against looming vulnerabilities. Collaboration on best practices, timely updates, implementation of security patches, and an understanding of the industry’s history of hacks are non-negotiable elements in maintaining the integrity of DeFi protocols.
Luckily it appears that these lessons are being taken to heart. Developers within the community are already at work to harden the Vyper ecosystem against future attacks:
Man, the vyper chats are absolutely popping off right now with ideas on how to improve things, so an issue like this never happens again
— señor doggo 🏴🏴☠️ in his wartime ceo era (@fubuloubu) August 1, 2023
I would not be short vyper right now (if that was a thing you could do)
Postmortem coming soon™
In closing, the Vyper exploit reveals the grim reality of cyber threats, particularly in the realm of smart contract programming languages. The impact of this exploit serves as a stark reminder that effective security measures and incessant vigilance are paramount for the continued growth and resilience of the DeFi industry.
Here at De.Fi, we’re proud to offer a variety of free tools to users of our DeFi dashboard to help keep their funds safe. Our free smart contract auditor and wallet permissions revoke tool are essential products that ensure users can spot vulnerabilities quickly and easily. For projects that are interested in boosting security, we also offer smart contract audit services.
August 4 • 7 minutes
A smart contract originally conceived by Uniswap, Permit2 manages the approval of token transfers via gasless signatures.
September 19 • 7 minutes
On that front, DeFi wallets are in high demand and Rabby Wallet is an option that's quickly gaining mindshare. But the fact of the matter is, Rabby is only one in a sea of wallet providers. Users must carefully weigh their options to know whether or not it's the right choice.
August 10 • 12 minutes
During Q2 of 2024, we noticed a significant increase in crypto losses caused by hacks and scams - the total was $430,118,000, which is much higher than what we observed during this period last year (a loss of $204,308,280).
July 11 • 9 minutes
In the rapidly expanding universe of web3 and decentralized finance (DeFi), selecting a reliable and secure wallet is crucial. Rainbow Wallet has emerged as a popular choice, especially for those new to the crypto world.
June 29 • 12 minutes
In this blog, we'll walk through what Gnosis token approvals are and how you can audit + revoke them using the free De.Fi Shield tool.
April 19 • 7 minutes
During Q1 2024 ... total losses amounting to $414,875,820 across a range of exploits and security incidents.
April 1 • 10 minutes
© De.Fi. All rights reserved.
