There are vulnerabilities in some versions of the Vyper language, and projects such as Curve have been attacked

On July 30th, Beijing time, some versions of the smart contract programming language Vyper were found to have serious vulnerabilities, and some important projects including Curve Finance were therefore attacked.

According to a Twitter announcement from Vyper, the Ethereum smart contract programming language, three of its versions — 0.2.15, 0.2.16, and 0.3.0 — have serious vulnerabilities that may disable their reentrancy locks. For blockchain projects, this problem may cause the execution process of the contract to be interrupted or produce unpredictable results, thereby affecting the stability of the entire system. In the announcement, the Vyper team strongly recommends that all projects using these affected versions should contact them immediately for timely technical support and solutions.

However, the impact of this vulnerability has already occurred. The Curve team tweeted a minute later that some stable pools using Vyper version 0.2.15, including alETH, msETH, and pETH, have suffered cyber attacks due to the failure of the reentry lock function. This vulnerability allows attackers to execute certain functions multiple times in a single transaction, potentially causing significant damage to related blockchain projects.

The Curve team also promises that other pools are safe, and this vulnerability has never been noticed during the previous development process until today. Curve’s token also plummeted at the same time, losing 15.45% on the day.

!

Curve’s Twitter statement.

Several projects were affected. According to Supremacy, an on-chain data monitor, the NFT pledge agreement JPEG’d was affected by the reentrancy vulnerability, and the stolen assets have reached about 10 million US dollars. Immediately afterwards, Paidun and Hexagate, two other security accounts on the chain, also tweeted @JPEG’d project party, claiming that the transaction was a hacker transaction. This incident caused JPEG’d’s token value to plunge, from a stable level of around 0.00062 to 0.0003, and now it has recovered to 0.00049, a one-day drop of 21.63%.

JPEG’d token price. Source: Coinmarketcap

The JPEG’d project also responded after the release of Curve, claiming that “our protocol is not within the scope of this hacking incident, and our developers are very powerful.”

In addition, two other project parties were also affected: according to Hexagate, the lending project AlchemixFi and the DeFi protocol MetronomeDAO were also attacked, and the attackers made a total of $13 million and $1.6 million in profits. Both projects issued statements at the first time. Alchemix claimed to have noticed the hacking incident, which may lead to instability in the price of project tokens, and suggested that LP withdraw liquidity from the pool as soon as possible.

MetronomeDAO stated, “Any provider providing liquidity on msUSD pairs, and Optimism users interacting with msETH on Velodrome, should note that their positions are not affected. In addition, all Metronome deposits and open positions are not affected. affected by this incident."