Curve Finance and the $100 Million Danger
Curve Finance's critical vulnerability risked $100 million in digital assets. Centralized exchange price feeds helped prevent a collapse.
Curve Finance recently faced a critical vulnerability that threatened to put nearly $100 million worth of digital assets at risk.
On July 30, an attacker targeted several Curve Finance liquidity pools due to a vulnerability in the Vyper programming language (versions 0.2.15, 0.2.16, and 0.3.0) designed for the Ethereum Virtual Machine (EVM). This flaw caused a malfunction in the reentrancy lock, draining millions of dollars from four Curve pools: aETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH.
The vulnerability raised concerns about its impact on other protocols, risking nearly $100 million worth of digital assets. The flaw facilitated a sizable drain from the affected pools, plummeting the value of Curve's native token (CRV) to as low as $0.086 on decentralized exchanges.
Centralized Exchange Price Feeds to the Rescue
While decentralized exchanges reported a CRV price of $0.086, centralized exchanges (CEXs) traded it at $0.60, demonstrating a significant difference in pricing. Curve pools relied on Chainlink's oracle system, which incorporated various price feeds, including those from centralized exchanges, to play a vital role in preventing a complete collapse of Curve Finance.
Binance CEO Changpeng Zhao (also known as CZ Binance) observed the incident and found it ironic that a CEX price feed saved the DeFi protocol, given the criticism centralized exchanges face within the DeFi community. Zhao reassured that the Vyper vulnerability had no impact on Binance, emphasizing the importance of code library upgrades for robust security.
Experts believe the Vyper code bug has existed for at least 1.5 years, and the attacker seemed to have meticulously studied the release history to exploit a protocol. A Vyper program contributor on Twitter suggested the possibility of state-sponsored involvement in the attack, citing the investment of time and resources in the exploit.