CEXs Saving DeFI? Chainlink Rescues Curve Finance Amid $100 Million Vyper Vulnerability

An exploit in the Vyper programming language caused a significant drain from Curve Finance's liquidity pools, but the decentralized protocol was rescued from total collapse by Chainlink's price feed.

CEXs Saving DeFI? Chainlink Rescues Curve Finance Amid $100 Million Vyper Vulnerability

Share this article

Curve Finance, a significant player in the decentralized finance (DeFi) protocol, was threatened with near-collapse due to a critical vulnerability in the Vyper programming language.

This exploit risked nearly $100 million in digital assets, but a surprising reprieve came from a source normally associated with traditional finance — a centralized exchange price feed.

The issue was rooted in specific versions of Vyper which led to a malfunctioning reentrancy lock. This flaw facilitated a sizable drain from four Curve pools, plummeting the value of Curve’s native token (CRV) to as low as $0.086 on decentralized exchanges.

Source

While it may seem antithetical to DeFi’s core principles, the CEX price feed held the CRV price at $0.60 on centralized exchanges, preventing the token’s total collapse. Curve’s pools use Chainlink’s oracle system, which integrates price feeds from several sources, including CEXs.

The price feeds from centralized exchanges, part of Chainlink’s oracle system used by Curve’s pools, played a key role in this incident.

Binance, one of the major players in the cryptocurrency exchange realm, emerged unscathed from the Vyper vulnerability. CEO Changpeng Zhao, while highlighting the importance of keeping code libraries updated, pointed out the irony of a centralized system coming to the rescue of a decentralized protocol:

It’s important to stay up-to-date with code libraries, apps and OS. And stay SAFU [Secure Asset Fund for Users].”

The exploitable issue within Vyper’s earlier versions, 0.2.15, 0.2.16 and 0.3.0, is believed to be at least 1.5 years old, affecting Curve’s aETH/ETH, msETH/ETH, pETH/ETH and CRV/ETH pools. The meticulous planning and resources invested in the attack led a Vyper program contributor to suggest the possibility of a state-sponsored effort.

Share this article

Loading...