The Vyper Compiler Saga: Unraveling the Reentrancy Bug that Shook DeFi

Introduction

On July 30, 2023, there was a problem in the DeFi space because of a bug in the Vyper compiler versions. These particular Vyper versions (0.2.15, 0.2.16, and 0.3.0) had an issue with reentrancy locks, which made them not work correctly. The team behind Vyper is still looking into this problem to find a solution. This incident has made people in the DeFi community worried and has shown how important it is to have strong security measures on decentralized finance platforms.

In this article, we will explain what a malfunctioning reentrancy lock means and talk about the hack in more detail. We will also discuss what happened after the hack and its consequences.

What are Vyper Compiler, Reentrancy, and Malfunctioning Reentrancy Lock?

The Vyper Compiler is a Python-based compiler for the Vyper programming language. It converts Vyper code to bytecode that can be executed by the Ethereum virtual machine.

Reentrancy vulnerability occurs when a smart contract allows external contracts to make repeated calls back into the same contract before it is fully processed. This could lead to a serious security risk.

In this current situation, a malfunctioning reentrancy lock can be referred to as a technique designed on Vyper to prevent reentrancy attacks, but due to some malfunctioning, it fails to provide the intended protection.

Deep Dive into Vyper Compiler Bug and The Aftermath

The attackers started with flash loans and took advantage of the reentrancy lock bug found in Vyper compiler versions 0.2.15, 0.2.16, and 0.3.0. Vyper and Curve Finance both tweeted to confirm that these compiler versions were vulnerable to malfunctioning reentrancy locks.

The attackers used this flaw primarily to target the factory pools on Curve Finance. The attackers got away, stealing over $26 million from Curve Finance.

The attackers targeted multiple factory pools on Curve Finance. These pools included AlchemixFi, JPEGd, MetronomeDAO, Debridge Finance, and Ellipsisfi.

AlchemixFi loses 7,258.70 ETH, which is about $13.6 million. JPEGd lost 6,102.75 ETH, which is about $11.4 million. MetronomeDAO lost 866.55 ETH, which is also about $1.6 million. Debridge Finance lost 13.13 ETH, which is about $24 thousand, and Ellipsisfi lost 283.02 WBNB, which is about $68 thousand.

Assets Stolen from the Curve pools due to this security flaw have crossed $41 million. This is according to Blocksec (A security firm). Blocksec has also stated that the reentrancy attack is linked to the use of ‘use_eth’ and potentially puts the WETH related pools at risk.

All the affected groups have been liquidated by security experts. This is a way to mitigate the impact.

During the recent hack, a white hat hacker managed to take back about 2,879 ETH, worth around $5.4 million, from an attacker. Then, the white hat hacker returned the funds to Curve Finance.

Still on the hack, Blocksec also discloses that the BNB Smart Chain experienced copycat attacks as a result of the Vyper vulnerability. Approximately $73,000 was stolen through three different exploits.

Conclusion

The Vyper Compiler’s malfunctioning reentrancy bug in versions 0.2.15, 0.2.16, and 0.3.0 led to a $26 million exploit on Curve Finance and other projects. This incident highlights the critical need for robust security measures and cross-platform vigilance in the DeFi space. Prompt response and white hat hacker involvement aided in mitigating the impact. Moving forward, prioritizing security best practices and conducting thorough audits are essential for the growth and trustworthiness of decentralized finance.