Curve Finance has seen several of its liquidity pools drained of millions of dollars in cryptocurrency thanks to a cyberattack, security firm Chainalysis reports.
The attacks occurred in quick succession on July 30th, leading to losses of $70 million in digital currency and, in Chainalysis’ words “triggering panic within the DeFi ecosystem.”
The analyst says the attacks exploited vulnerabilities in Vyper, a third-party programming language related to Python.
The worst-hit victims were Alchemix, which lost around $20 million in Ethereum, and JPEG’d, a loan fund for buyers of non-fungible tokens (NFTs), which was milked to the tune of $12 million in the same digital denomination.
However, the total haul of funds stolen by the attackers responsible came to around $70 million, the Chainalysis bulletin added.
Around the time of the incident, additional reports surfaced of so-called “grey-hat” hackers beating the threat actors to the punch in a maneuver known as “front-running” — when a neutral party uses a bot to jump the queue ahead of them on the blockchain to steal the funds instead.
Such hackers do not do this out of the goodness of their hearts and themselves operate on the wrong side of the law — bribing Ethereum moderators to let them jump the blockchain queue for transactions, but the key difference is that they return the funds they have stolen in return for a reward.
In the case of the Curve hack, Chainalysis can confirm one instance of front-running: c0ffeebabe.eth took around $7 million from two of its Ethereum pools but then returned the funds to both affected protocols.
“Curve has not detailed any recovery plans, but publicly advised its users to withdraw funds from Vyper-based pools,” said Chainalysis. “We have labeled all addresses relevant to the Curve hacks in Chainalysis products and will continue to provide updates on the situation when possible.”
More from Cybernews:
Subscribe to our newsletter