Vyper Programming Language Vulnerability
On July 30, a vulnerability was discovered in the Vyper programming language, which is used for the Ethereum Virtual Machine (EVM). This led to a malfunctioning reentrancy lock, resulting in the draining of funds from four Curve Finance pools, with nearly $100 million worth of digital assets at risk.
Curve Finance is a key DeFi protocol, and the price of its native token, CRV, collapsed on the DeFi market due to the attack. However, the CRV price was saved from further decline by the price feed from centralized exchanges (CEXs), preventing the token from dropping to zero.
The vulnerability was found in three versions of Vyper: 0.2.15, 0.2.16 and 0.3.0, and it may have an effect on other protocols such as Cartesi, Chiliz, Celo, Comp, Braintrust, Circle, CFX and Blackrock. The Web 3.0 release date is yet to be determined.
Chainlink and CEX Price Feeds
Curve Finance recently experienced an ironic incident that drew the attention of Binance CEO Changpeng Zhao: the crypto exchange’s CEX price feed was the saving grace for the DeFi protocol, which would have otherwise collapsed. Zhao noted that the Vyper vulnerability had no impact on Binance, as the exchange had already upgraded its code to the latest version. He also reminded everyone of the importance of library upgrades.
The bug in the earlier versions of the Vyper code is believed to be at least 1.5 years old, and the exploiter is believed to have thoroughly examined the release history to find an exploitable issue for a large protocol with millions of dollars at stake. A Vyper program contributor on Twitter suggested that the amount of time and resources put into the exploit indicates it might be a state-sponsored attack.
Collect this article as an NFT to preserve this moment in history and show your support for independent journalism in the crypto space, including Cartesi, CRV, Chiliz, Celo, Comp, Braintrust, Circle, CFX, Blackrock, and Web 3.0.
Subscribe to our email newsletter to get the latest posts delivered right to your email.