On July 30, 2023, multiple Curve.Fi liquidity pools were exploited due to a latent vulnerability in the Vyper compiler, specifically in versions 0.2.15, 0.2.16, and 0.3.0, resulting in approximately $70 million in losses. This caused panic within the DeFi community.
The hacks led to a 5% decline in CRV, Curve’s native token, and triggered fears of contagion effects for some DeFi protocols. The lending protocol AAVE appeared to be at risk due to a massive borrow position secured by CRV token collateral.
This report provides a deep-dive into the Vyper compiler’s vulnerability, its root cause, and the lessons learned from the incident.
What is Vyper?
Vyper is a contract-oriented, domain-specific, pythonic programming language targeting the Ethereum Virtual Machine (EVM). Its main goals include simplicity, pythonicity, security, and auditability.
Re-Entrancy: A Widespread Web 3.0 Problem
Re-entrancy is a common problem in blockchain…
