The attack, which was brutal and targeted the Curve decentralized finance protocol, has been underway since July 30 and is said to have already resulted in the theft of over $50 million. It is believed to be the result of a flaw in the programming language for smart contracts on the Ethereum Vyper blockchain, used by the decentralized trading platform (DEX). Several of Curve’s liquidity pools, denominated in various cryptocurrencies, are said to have fallen victim to the attack.
These liquidity pools are used by depositors to earn a return, and by traders for their trades.
According to a Vyper developer, the hackers certainly “took weeks, if not months” to find the vulnerability in Vyper.
According to reports in the trade press, some of the funds drained correspond to “white hats” hackers (ethical hackers, cybersecurity experts…), which would mean that they are not lost.
The program, Curve, manages around $3 billion in liquidity, making it one of the leading protocols in decentralized finance. It specializes in stablecoin swaps.
According to Chainalysis, DeFi protocols have been the main target of cryptocurrency hackers since 2021. In 2022, they accounted for over 80% of stolen funds, totalling $3.1 billion. Generally speaking, cryptocurrency piracy broke records last year.