A decentralized finance expert who goes by fubuloubu on Twitter believes that the attack that occurred on Curve Finance earlier today could be the work of state-sponsored hackers. As per the DeFi expert, the hackers behind this attack worked very hard and put in a significant amount of time and effort to execute the exploit on Curve stable pools.
The DeFi expert took to Twitter earlier today to share their thoughts on the Curve Finance exploit:
The worst thing about the Curve hack is this is not something a typical researcher would have looked for, they dug *deep* in our release history to find an exploitable issue for a large protocol with many millions at stake
— señor doggo 🏴🏴☠️ in his wartime ceo era (@fubuloubu) July 31, 2023
This took a significant amount of time to identify
The hackers who targeted Curve Finance’s Vyper compiler earlier today, managed to hack multiple pools, including crv/eth, aleth/eth, mseth/eth, and peth/eth. The exploit was executed using a zero-day reentrancy vulnerability that affected Vyper versions 0.2.15, 0.2.16, and 0.3.0. Fubuloubu was also a developer for Vyper.
According to fubuloubu, the vulnerability that was exploited by the hackers was not something that a typical blockchain researcher would look for. As per the Vyper developer, the hackers dug deep into Vyper’s release history to find an exploitable vulnerability, which would have taken a lot of time. The developer cited the coordination, sophistication, and resourcefulness of the exploit to claim that it could have been the work of state-sponsored hackers.
The Vyper developer added that with the contracting of DeFi over the past year, it had become difficult for hackers to find big targets that involved a considerable payday. This led black hat hackers to look for new sources, which may include compilers like Vyper. This was a matter of concern since compilers didn’t go through a lot of reviews or audits.
Speaking on the vulnerabilities of a compiler, the Vyper developer stated:
There’s not really a good reason to audit the compiler, since it makes more sense to audit the final product that the end user produces with the tool, which is the raw EVM code.
Curve Finance agreed with fubuloubu’s assessment of the situation and added that Vyper version 0.3.7 was “well refactored and audited”. At the time of writing, white hat rescue operations to retrieve the stolen funds were still underway. Unfortunately, there would be no recourse for Curve DAO Token holders, who saw the value of their CRV tokens plummet nearly 20% within hours.