On July 30, an attacker targeted several Curve Finance liquidity pools due to a vulnerability in the Vyper programming language (versions 0.2.15, 0.2.16, and 0.3.0) designed for the Ethereum Virtual Machine (EVM). The flaw caused a malfunction in the reentrancy lock, leading to the draining of millions of dollars from four Curve pools: aETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH.
The vulnerability raised concerns about its impact on other protocols, risking nearly $100 million worth of digital assets.
However, centralized exchange price feeds played a crucial role in preventing the collapse of the CRV token’s price in the DeFi market. While decentralized exchanges reported a CRV price of $0.086, centralized exchanges (CEXs) traded it at $0.60, demonstrating a significant difference in pricing.
Curve pools relied on Chainlink’s oracle system, which incorporated various price feeds, including those from centralized exchanges, to play a vital role in preventing a complete collapse of Curve Finance.
Binance CEO Changpeng Zhao observed the incident and found it ironic that a CEX price feed saved the DeFi protocol, given the criticism centralised exchanges face within the DeFi community. Zhao reassured that the Vyper vulnerability had no impact on Binance, as they promptly updated their code to the latest version, emphasizing the importance of code library upgrades for robust security.
Experts believe the Vyper code bug has existed for at least 1.5 years, and the attacker seemed to have meticulously studied the release history to exploit a protocol. A Vyper program contributor on Twitter suggested the possibility of state-sponsored involvement in the attack, citing the investment of time and resources in the exploit.