Vyper-Compiler-Exploit.md

Vyper

• Amount Lost: $50,476,970.00
• Funds Returned: $6,820,757.00
• Category: Exchange (DEX)
• Date: 2023-7-30

Quick Summary

Vulnerability in Vyper Compiler exploited, causing a loss of 50,476,970 USD across multiple projects.

Details of the Exploit

The Vyper Compiler, a tool designed for writing smart contracts on EVM-compatible chains, suffered a significant exploit due to a vulnerability in versions 0.2.15 to 0.3.0. Independent security researchers confirmed that the vulnerability was fixed since version 0.3.1. The root cause was separate Reentrancy Lock slots in add_liquidity and remove_liquidity functions in Curve Pools, implemented in the vulnerable Vyper versions, allowing a reentrancy attack. This exploit affected several projects including MetronomeDAO, JPEG'd, Alchemix, and Curve Pools, resulting in a combined loss of 50,476,970 USD. Some funds were returned, totaling 6,820,757 USD.

**
**

Block Data Reference

Curve Pools:

Exploiters:

https://etherscan.io/address/0xb752def3a1fded45d6c4b9f4a8f18e645b41b324

https://etherscan.io/address/0xc0ffeebabe5d496b2dde509f9fa189c25cf29671

Malicious Transactions:

https://etherscan.io/tx/0xcd99fadd7e28a42a063e07d9d86f67c88e10a7afe5921bd28cd1124924ae2052

https://etherscan.io/tx/0x2e7dc8b2fb7e25fd00ed9565dcc0ad4546363171d5e00f196d48103983ae477c

Funds Returning Transaction:

https://etherscan.io/tx/0xb76754124fdde090f25129105ed2907e3c62e0db87ecb8ffcefcb1dede0954fd

JPEG'd:

Exploiter:

https://etherscan.io/address/0x6ec21d1868743a44318c3c259a6d4953f9978538

Malicious Transaction:

https://etherscan.io/tx/0xa84aa065ce61dbb1eb50ab6ae67fc31a9da50dd2c74eefd561661bfce2f1620c

Alchemix:

Exploiter:

https://etherscan.io/address/0xdce5d6b41c32f578f875efffc0d422c57a75d7d8

Malicious Transaction:

https://etherscan.io/tx/0xb676d789bb8b66a08105c844a49c2bcffb400e5c1cfabd4bc30cca4bff3c9801

MetronomeDAO:

Exploiter:

https://etherscan.io/address/0xc0ffeebabe5d496b2dde509f9fa189c25cf29671

Malicious Transaction:

https://etherscan.io/tx/0xc93eb238ff42632525e990119d3edc7775299a70b56e54d83ec4f53736400964

Funds Returning Transaction:

https://etherscan.io/tx/0x650a73bfff233815ec6c4de22f105ddff8d5194d10b7375b3cdcd23ec6469f9a

Proof Links:

• https://twitter.com/vyperlang/status/1685692973051498497
• https://twitter.com/BeosinAlert/status/1685901704951111680
• https://twitter.com/shoucccc/status/1685691273980919808