In the blockchain and decentralized finance (DeFi) world, the security and integrity of smart contracts is of utmost importance. Unfortunately, a new incident at Curve Pools has highlighted the risks that persist in this ever-evolving ecosystem.
An unknown Miner Extractable Value (MEV) bot fell victim to an exploit, resulting in a massive loss of approximately $2 million on the famous Curve Pools.
The exploitation occurred due to a vulnerability in an arbitration function, identified by PeakShieldAlert as 0xf6ebebbb(), the case was quickly sent to the community through X.
This feature lacked proper authentication, giving the attacker an open door to manipulate trades across multiple Curve Pools.
Resulted in a Significant Slippage in Exchanges, Strongly Affecting Curve Pools
What makes this exploit even more disturbing is the ingenuity of the attacker. After manipulating the exchanges, he cunningly reversed the trades to maximize his profits, further compounding the impact of the incident.
To achieve this, the attacker exploited an exposed feature in the arbitrage bot, allowing him to initiate a transaction from Wrapped Ether (WETH) to Wrapped Bitcoin (WBTC).
He then executed a flash loan for 27,255 WETH (equivalent to $51.36 million), which he used to significantly alter the price relationship between WETH and WBTC on the Curve Pool.
As a result, the conversion of 1,339.8 WETH (approximately $2.52 million) into 6.95 WBTC (around $244,000) occurred by destabilizing the pool.
Importantly, the owner of the MEV bot had already withdrawn funds from the contract before the attack, which further complicated the situation.
This incident is reminiscent of a series of previous exploits on Curve Finance in late July 2023, which resulted in losses of around $70 million. These attacks were possible due to a vulnerability in Vyper, a Python programming language used by smart contracts on Ethereum, including those on Curve and other decentralized protocols.
However, after this exploit, both ethical hackers and MEV bot operators worked together to recover a portion of the lost funds, which could reduce the value of the initial reported losses.
Additionally, the attacker returned a portion of the stolen funds, providing some relief to the community.
Despite these efforts, Curve Finance has extended a $1.85 million reward offer to anyone who could identify the attacker of this recent exploit, demonstrating the DeFi community’s determination to address and prevent future exploits.
