Curve Finance factory pools attacked due to reentrancy vulnerability
There was a security hole that might enable money to be stolen from factory pools on Curve Finance due to contract calls being interrupted.
Exploiting the reentrancy vulnerability in some versions of the Vyper compiler, large outflows were traced to a chain of events that began with a flash loan.
There is a significant security problem in Curve Finance factory pools known as reentrancy, which occurs when an external call to a contract is stopped and called back before its conclusion. This might enable attackers to steal cash or abuse the contract’s logic. Over $26 million was lost as a result of withdrawals from several linked pools due to this vulnerability.
Beosin’s security researchers claim that Curve’s JPEGd, Metronome, and Alchemix manufacturing pools were all attacked.
The pETH-ETH manufacturing pool operated by JPEGd on Curve lost $11.4 million. Next, $1.6 million changed hands in the sETH-ETH pool at the Metronome.
According to estimates from security company BlockSec, total asset outflows attributable to this security problem on Curve pools have already surpassed $41 million.
Curve Finance is a DEX that focuses on facilitating transactions with stablecoins. With time, it has evolved to serve a wider variety of assets. When discussing liquidity pools, the term “factory pools” refers to a system whereby new pools may be produced inside a predefined “factory.” This method provides a permissionless alternative to the Curve team manually constructing each pool by allowing projects or people to create their own liquidity pools using Curve’s infrastructure.
The current discharges were the result of a chain of events. Igor Igamberdiev, director of research at Wintermute, revealed that it all started with a flashloan that looked to take advantage of the reentrancy weakness linked with some earlier compiler versions of Vyper, the smart contract programming language used to construct the code for these factory pools.