Curve Finance Suffers $2M Loss Due to Hack
An unknown Miner Extractable Value (MEV) bot has been hacked, causing a loss of approximately $2 million in the renowned curve pools. The incident led to multiple large swaps and reverse swap arbitrage. The exploitation occurred when the arbitrage function, 0xf6ebebbb(), lacked proper authentication, providing an open door for the attacker to manipulate swaps across multiple curve pools. This malicious activity resulted in significant slippage, causing substantial losses for the affected parties.
Attacker’s Manipulation of Curve Pool
The attacker cunningly reversed the swaps to maximize their profits, compounding the impact of this incident. They exploited an arbitrage bot, resulting in a loss of $2.3 million through the Curve pool. They discovered an exposed function within the bot, enabling them to trigger a transaction from Wrapped Ether (WETH) to Wrapped Bitcoin (WBTC). Subsequently, they executed a flash loan for 27,255 WETH (equivalent to $51.36 million), utilizing it to significantly manipulate the price ratio of WETH/WBTC within the Curve pool.
Curve Finance Prior Exploits
On July 30, 2023, a series of exploitations occurred in multiple liquidity pools on Curve Finance, resulting in losses of approximately $70 million due to a vulnerability in Vyper, a third-party Pythonic programming language utilized by Ethereum smart contracts. Following the initial incident, both white hat hackers and Miner Extractable Value (MEV) bot operators collaborated to recover a portion of the lost funds.
Recovery Efforts and Extensions
Less than a week after the exploit, the hacker returned 4,820 alETH and 2,258 ETH to Alchemix, which amounted to approximately $12.7 million. Curve Finance announced via Twitter that they extended their bounty offer of $1.85 million to anyone who could identify the hacker after they did not voluntarily return the remaining funds.
According to PeckShield Alert data, an unknown Miner Extractable Value (MEV) bot has fallen victim to a hack, causing a loss of approximately $2 million.
By
By
By
