BSC Suffers $73k Vyper Attack
The BNB Smart Chain (BSC) recently faced copycat attacks due to a vulnerability found in the Vyper programming language, mirroring the exploits on Ethereum’s Curve Finance defi protocol. According to blockchain security firm BlockSec, the attacks on BSC led to approximately $73,000 worth of cryptocurrencies being stolen through three separate exploits as of July 30.
The sheet updated. Losses have already ~$41m!https://t.co/lCaS4uEPzm https://t.co/stQYNJFS7y pic.twitter.com/P7jG8NHnV4
— BlockSec (@BlockSecTeam) July 30, 2023
Vyper Vulnerability Hits DeFi Pools
The vulnerability was discovered in Vyper versions 0.2.15, 0.2.16, and 0.3.0, which were widely adopted by various defi pools. The flaw in the reentrancy lock allowed attackers to execute multiple functions simultaneously, creating an opportunity to drain all funds from affected contracts.
These attacks targeted several DeFi projects, resulting in significant losses. Among the affected projects were Alchemix’s alETH-ETH, which reported outflows of $13.6 million, PEGd’s pETH-ETH pool with a loss of $11.4 million, Metronome’s sETH-ETH pool with $1.6 million hacked, and more than 32 million Curve DAO (CRV) tokens worth over $22 million drained within 24 hours.
White Hat vs. Black Hat Hackers
The impact of these exploits was evident as the native CRV token of Curve Finance experienced a sharp decline in value, plummeting by 12.4% to $0.64 in the last 24 hours. This raised concerns about potential liquidations, especially for the founder of Curve, who reportedly held a borrowing position worth $70 million on Aave. In the aftermath of the attacks, the defi community witnessed a fierce battle between white hat and black hat hackers on-chain. Both groups attempted to disrupt each other’s exploit attempts or recover stolen funds.
— KGJR (@KGJRTG) July 30, 2023
Related: Lawmakers Probe Apple Over Stifling Blockchain Innovation
In the midst of the chaos, one potential white hat hacker, known as “c0ffebabe.eth,” took action to secure some funds for safekeeping. The hacker sent an on-chain message on July 30, encouraging affected protocols to coordinate the return of funds. As a result, c0ffebabe.eth’s wallet successfully returned nearly 2,900 Ether (ETH) worth over $5 million to Curve in a transaction. Additionally, another transaction revealed the movement of 1,000 ETH to a newly created wallet, possibly serving as a cold wallet to secure the recovered funds.
