Curve-Vyper exploit: The whole story so far

cointelegraph.com:

The decentralized finance (DeFi) ecosystem has experienced a challenging week after a seismic security incident led to over $61 million being stolen from Curve Finance’s pools, leaving several protocols facing broader contagion risks.

This attack exposed vulnerabilities across DeFi projects and sparked efforts to recover stolen funds over the past few days.

As the community navigates the aftermath of this exploit, Cointelegraph compiled the week’s events, presenting a timeline of what happened since the hack on July 30.

Several stable pools on Curve Finance using the Vyper programming language were exploited on July 30, with losses reaching over $61 million (total losses were initially estimated at $47 million). The vulnerability was found on Vyper’s versions 0.2.15, 0.2.16 and 0.3.0.

Several DeFi projects were affected by the attack. Decentralized exchange (DEX) Ellipsis reported that a small number of stable pools with BNB (BNB) were exploited using an old Vyper compiler. Alchemix’s alETH-ETH also witnessed $13.6 million of outflows due to the attack, along with $11.4 million exploited on JPEGd’s pETH-ETH pool and $1.6 million from Metronome’s sETH-ETH pool. Curve Finance CEO Michael Egorov also confirmed that 32 million Curve DAO (CRV) tokens worth over $22 million had been drained from the swap pool.

The BNB Smart Chain (BSC) was also a victim of copycat attacks due to the same vulnerability, with around $73,000 worth of cryptocurrencies on BSC across three exploits being stolen.

Since news of the exploit broke, white hat and black hat hackers have been duking it out on-chain, attempting to disrupt each others’ exploit attempts or efforts to recover funds.

Preliminary investigations found that some versions of the Vyper