DeFi Protocols Rocked by Latest Hacks Exploiting Vyper Language Vulnerabilities
Recent hacks on DeFi protocols BNB Smart Chain and Curve Finance expose a vulnerability in Vyper's programming language, leading to millions of dollars in losses.
Share this article
Hackers have zeroed in on a vulnerability in the Vyper programming language — a well-known tool widely used for developing Web3 projects that target the Ethereum Virtual Machine (EVM) — on two significant DeFi protocols: BNB Smart Chain and Curve Finance.
Vyper is known for its similarities to Python, making it a common starting point for Python developers venturing into DeFi. The attacks in question exploited a flaw in the reentrancy lock of Vyper versions 0.2.15, 0.2.16, and 0.3.0, leading to multiple breaches across different protocols.
The losses have been significant across several platforms. On the BNB Smart Chain (BSC), there was reportedly multiple attacks due to the reentrancy lock vulnerability found in specific versions of Vyper (0.2.15, 0.2.16, 0.3.0) reported on July 30. Blockchain security firm BlockSec reported that these attacks led to a theft of around $41 million worth of cryptocurrencies.
— BlockSec (@BlockSecTeam) July 30, 2023
Curve Finance, a DeFi protocol, suffered even more on the same day. Several of its stable pools using the afflicted Vyper versions were exploited, with losses exceeding $47 million. A total of 32 million CRV tokens worth over $22 million were drained from the swap pool, as confirmed by Curve on Twitter.
— Andrew T (@Blockanalia) July 30, 2023
The reentrancy lock is a critical component that should prevent multiple functions from being executed simultaneously. When correctly implemented, this guard would have thwarted the attackers. But in the case of the Vyper versions, the reentrancy guard was not implemented correctly, making a number of DeFi pools susceptible to attacks.
Several other DeFi projects have also reported losses, such as Ellipsis, which reported an unspecified amount in BNB stable pools.
A small number of stablepools with BNB using an old Vyper compiler have been exploited.
We are assessing the situation and will update the community on any further findings. https://t.co/pxkhRRSr5w
— Ellipsis (@Ellipsisfi) July 30, 2023