On 30 July 2023, a critical issue was discovered within the following Vyper codebase for versions 0.2.15, 0.2.16, and 0.3.0. While the bug was identified and patched by the v0.3.1 release, the impact on protocols using the vulnerable compilers was not realized at the time and they were not explicitly notified. The vulnerability itself was an improperly implemented re-entrancy guard that could be bypassed under certain conditions which we will delve into in this report.
The Vyper team has published their post-mortem report on the nonreentrancy lock vulnerability, which members can review.
This attack vector was used to carry out a stream of attacks on various Curve finance pools. This vulnerability allowed an attacker to bypass the re-entrancy guards and drain funds from the JPEG’d (pETH/ETH), Alchemix (alETH/ETH), Metronome (msETH/ETH), and Curve (CRV/ETH) pools.
Frens over at BlockSec did a great job of documenting all the loss amounts and timelines: Curve Exploitation Incident Attack Transaction List
We currently have 1 Policy holder with a Curve Finance cover who has purchased a cover worth a total of 320k USD for Curve Finance - out of the policyholder has requested a claim of around 80k to 90k USD against the valid insurance policy. The claim request is currently being analyzed to determine the accurate payout amount.
Here is the full Claims Tracker Sheet https://docs.google.com/spreadsheets/d/1ceKyl6tGqNom2VzHWQr-wNlu3nIsSdRbbziFplcXJXw/edit#gid=0
Our Claims DAO Committee members have already been analyzing the exploit and studying the state of the exploited funds, particularly relating to the CRV/ETH pool - whitehats funds rescue and MEV bot rescued funds, additional funds being returned to the Curve team, AND some funds are still outstanding as well. A rough estimation of the total amount realized by the blackhat attacker is still under analysis and awaiting confirmation from the Curve Finance team. We are also currently establishing a line of communication with the CRV team to discuss the compensation plan and way forward.
We recommend members who haven’t submitted the claims request go to UnoRe and click on your active / expired CRV policy and submit a claim request using the form interface.
For those users who have filed their claims, we request them to kindly wait until more information is available, so Claim Assessors can accurately determine loss and factor in potential reimbursement amounts. Also, Members who have filed their claims and are subsequently able to recover their losses from Curve Finance or any other third party, are requested to notify us on firstname.lastname@example.org and promptly reimburse the Uno Re DAO multi-sig for any redeemed claims under the Curve Finance SCV Cover.
Our Claims DAO committee members including veterans from the Insurance sector as well as web3 security including Kunal Sadani, Anthony Thomas, Thomas Dev, and other committee members are currently in the process of analyzing the validity and amount of claim payouts for each policy holder which has a valid claim. Kindly find below a set of initial analysis from the team.
As of this update, c0ffeebabe.eth, the owner of the MEV bot who was able to save some of the exploited funds, returned 2,879.54 ETH ($5.4m) to the Curve deployer.
After the initial two exploits on the CRV/ETH pool, a whitehat rescue was successful in removing the remaining vulnerable funds left in the pool, per the Curve team’s update.
The policy holder 237 has only a part of his cover amount which has been affected by the recent exploits. The committee is doing a closer inspection in studying the insurance compensation based on LP tokens present in policy holders wallet at the time of cover purchase and further breakdown after reducing the amounts returned by whitehats and MEV bots.
Committee members are waiting for more information to be released including the Curve team post-mortem report and guidance on potential reimbursement for affected Curve pools, where funds have been returned to date.
The following additional material has been gathered by the committee for claims analysis: