The cool side of the blazing crypto ecosystem.
A Crypto newsletter covering the latest Hacks & Crime to keep you safe.

What’s in today’s crime cooler:

• Summary of What Happened

• What is the Impact on Users, Businesses, and Funds

• How to be More Secure in the Future

• Final Thoughts

On July 30, 2023, a bunch of pools on the Curve Finance platform were hacked. This caused a loss of about $70 million, which made a lot of people in the DeFi world very worried.

The hack happened because of a problem in a programming language called Vyper, which is used by Curve and other similar platforms.

The hackers were able to trick the system into miscalculating balances, which allowed them to steal money. The first attack was on a pool for a protocol called JPEG’d, where they stole $12 million. Then Alchemix DAO’s for $20 million. Metronome DAO’s for $1.6 million and Curve’s pool for $18 million.

Some white hat hackers (good hackers) and some bots have been trying to help by recovering some of the stolen money. One of these hackers, who goes by the name c0ffeebabe.eth, managed to get back around $5.3 million from one pool and $1.6 million from another!

After the news of the hack spread, the price of CRV (Curve's token) fell by 5%. This, along with the fact that the bad hackers could sell a lot of CRV, made people worry about the effects on other DeFi platforms. Right now, Curve hasn't said how they plan to recover from this, but they've told their users to take their money out of the pools that use Vyper.

Users:

Users who had their funds in the affected pools suffered losses. The exact amount would depend on the proportion of their funds in the pool. Following the hack, Curve advised its users to withdraw funds from Vyper-based pools, which could have caused inconvenience and potential losses due to transaction fees.

Businesses:

The hack had a significant impact on Curve Finance and other businesses that used the affected Vyper versions. The immediate financial loss was substantial, with approximately $70 million drained from various pools. The hack also damaged the reputation of Curve Finance and could lead to a loss of user trust. Other businesses that rely on Vyper for their smart contracts might also face scrutiny and potential loss of trust.

Funds:

The value of the Curve DAO token (CRV) fell by 5% following the news of the hack. This decline, coupled with the risk that the hackers could sell a large amount of CRV into an illiquid market, triggered fears of a wider impact on DeFi protocols. In particular, the lending protocol AAVE was at risk due to a large borrow position secured by CRV token collateral. The actual value lost might end up being lower than the total initially reported, as some funds were recovered by white hat hackers and MEV bot operators.

Code Auditing and Testing: Regular and thorough auditing of smart contracts can help identify vulnerabilities before they can be exploited. This includes using automated testing tools and manual code review by experienced developers. It's also crucial to test the code under various scenarios to ensure it behaves as expected.

Bug Bounty Programs: These programs incentivize ethical hackers to find and report vulnerabilities in exchange for a reward. This can lead to the discovery of potential security issues before they're found by malicious actors.

Up-to-date Software: Keeping all software, including compilers and programming languages, up-to-date is crucial. In this case, specific versions of Vyper had known vulnerabilities. Regular updates and patching can help protect against known issues.

Use of Established Languages: Vyper, the language in which the vulnerable contracts were written, is less widely used and tested than Solidity, the most common language for Ethereum smart contracts. Using more established languages could potentially reduce the risk of undiscovered vulnerabilities.

Our final thoughts on this hack: Very unfortunate for many people that were affected. Curve was one of the largest decentralized exchanges in crypto. They had around $1.6 billion in total value locked. It sucks to see something get hacked to this extreme and we will see what happens to the platform. I want to know more about the Vyper vulnerabilities. Were these every 3rd party checked or audited? Was it any easy fix to stop it from happening? Hopefully Curve Finance comes out with all the details.

Share the Crypto Cooler

We can hardly contain our excitement as we grow we want to gear up and unveil a brand-new referral program. We want to hook you up with some cool rewards, including stickers, nifty dad hats, and more.
Stay tuned to be rewarded!

Disclaimer: The information shared in this newsletter is for informational purposes only and should not be considered financial advice. It is crucial to conduct independent research and consult with a financial advisor before making any investment decisions.