Jul 31, 2023

Upwards of $100 million worth of cryptocurrency is at risk due to a “re-entrancy” bug in Vyper, a programming language used to power parts of the Curve system.

Video transcript

Curve. Finance saw $50 million drained with more than 100 million worth of crypto at risk due to a bug that is impacting curve. So the token is down, I believe more than 15% on the day. Now will I'm going to toss this one off to you because this morning, everyone who was reporting on the story was like a little bit. We, we didn't have all of the information about what happened in this exploit. Uh I don't know if you can break down the information we have so far. There's a bug you tell us what's going on. Yeah. Problems with D I continue. Uh Basically, it's the idea that we can build on chain different financial instruments and they, they'll continue to operate as long as there's no bugs and there's liquidity within them. But fortunately, these things are made by humans. And so there's always issues the issue here, something to do with the Viper compilers. So Viper is a programming language, Ethereum uh that Ethereum co-founder Vital invented quite a while ago, not a lot of people picked it up because it was somewhat confusing and hard to operate with. And a lot of people chose to build in solidity or another programming language of their choosing. So Viper hasn't been picked up too much and they've been trying to sort of deprecate it because it's like, yeah, we don't want to keep using this, but some people are continuing to use it. And in these few pools here, so we saw they were using a part of Viper that was proven to be buggy and broken. And so once the Viper community knew about this, well, then that spread into the D community and people figured out where these pools were and they went out and hacked them using reentries attack, which basically is the idea that if keep calling this pool and keep calling it, saying like, is there liquidity in here? There's a way to pull out more funds that are actually, uh you're supposed to be able to pull out from the pool itself. And it's a means of basically draining a pool. It's a time, it's a very old hack within the books. It has been done forever. Uh But it's very hard to figure out and they do occur quite often, especially when the underlying code is buggy. So that's what ended up happening here. About 50 million was pulled that led to a lot of different ramifications within D I which we've seen time and time again where a lot of these DFI LEGOS are so stacked and interwoven that you do have contagion almost immediately. So for instance, in this exploit, we saw that curve token crv started going down in price because of the associated hack. People started not believing the curve token started selling it and that led to positions and some defy loans starting to fall apart, which led to other parts of the market starting to take a tumble. So we saw the price of a lot of these tokens start to fall apart. Luckily last night, it looks like the year of token withheld enough to not force a lot of cascading liquidations, which was good news for the ecosystem, but definitely one of the toughest days in quite a few months, Zach compos ability. It's a feature and a bug, right? That's what you're saying, you know, compos allows for rapid innovation within the D five space. But then when some of those money legos start to crumble, some of those foundational ones like a curve starts to crumble. It's bad news for that Lego Tower, right? And that is the thing with D I and I think really zooming out, right? This is like potentially a crisis of confidence, right? Like curve is a very foundational pillar of DFI liquidity. And if curve can suffer uh an exploit of this magnitude, I think a lot of people are gonna maybe be like uh oh like that's not good, you know, curve is a huge place uh for stable coin liquidity and more. Um and to see this happen is not a good look for D I given that um you know, we keep seeing these challenges right and curve, I think to date is largely avoided, it could be wrong. There could be some earlier uh exploits in his history, but largely avoided some of these big headlines around bad news. And um yeah, it's just really bad like di I think who needs to mature and needs to get to a place of more confidence and more uh security uh in, in the, in the, in the, in the broader sense there for people to start transacting on chain in the way that crypto diehards really, really advocate that they should, right? Um Again, there was all this triumphant sort of chest dumping after the FCX implosion like, oh, this is gonna push everyone to defy and all this exchange functionality is gonna be on chain auditable real time. It's gonna be great. And yet we keep seeing some of these big bugs that happen. And I think this is again, another part of that broader narrative that keeps people scared to try out some of these services that are actually quite cool. But it's a, it's a thing, it's definitely a thing, Wendy. What do you, what do you think of two things? Is this a viper failure or is this ad failure? And then the second thing is, is I told my audience whether you're gonna be using a centralized exchange to get some sort of passive income or you're gonna be using D I um for pulling or staking or whatever that is, use a moon bag, use disposable income. Don't leave your entire stack there because stuff like this can happen, I feel like D I is still in beta, just like Bitcoin is still in beta and you don't want to lose your entire net worth because of poor risk management. So I think that's important to say that. Um but is this but will or is that because you guys are a lot more tech savvy than me? Is this a curve failure or is this a Viper failure? Because it seems like there's two parts to this. It wasn't just necessarily curve. Yeah, I think here was a failure of Viper in the pre compiler which led up the stack, right? And that's a problem with all these D five things. If something in the base layer isn't working well, things up the stack are going to be possible to attack and that's what ended up happening here. Thank you for clarifying, sir. It's a defy Lego. It's a Money Lego when compos is a feature, but it's at Money Jenga block when it's a bug because yeah, that's a bummer man. It's a bummer, Jen. We got to get you on the board. What are you thinking? Yeah. No, I I completely agree with everything everyone has said. Um There's a report that was published on coin desk earlier today that said July is tracking to be the worst month for D I exploits this year. I think it was like over $300 million have been lost to exploits in just July alone. So I think that the data underscores what everyone has said we are still very early. There's still a lot to figure out and there's still a lot of these bugs that we gotta, we gotta be better about our audits and our security if we want people to use these systems and we don't want to lose our money. And so you should go check out that report, do that good stuff, that go, go read that story, good stuff, respect journalists.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to coindesk.consensus.com to register and buy your pass now.