DeFi projects continue to be a popular target of attack for advanced hackers, as a number of finance pools associated with Curve were hit on July 31 for a total loss of about $61 million. The attack appears to have been the result of a vulnerability found in certain versions of the Vyper programming language used for Ethereum smart contracts.
Adding to the total damage was a rug pull involving the trendy BALD coin, which saw a massive surge of interest following its late July introduction. After the coin mooned for two days, the anonymous creator suddenly pulled $12.5 million out of the exchange and immediately crashed the price.
Bloomberg estimates that a total of $1.5 billion was pulled from the ecosystem as traders were scared off by the two events, and a fresh set of questions have been raised about the independence and long-term viability of DeFi projects.
Curve finance pools compromised by programming language flaw
The Curve attack was caused by a vulnerability in versions 0.2.15, 0.2.16 and 0.3.0 of Vyper. This impacted several DeFi projects, mostly stable pools with substantial holdings. These versions of Vyper incorrectly implemented a reentrancy guard that locks contracts to prevent multiple functions from being executed at the same time.
