Curve Finance, a decentralized finance protocol on the Ethereum blockchain that is part of trading stablecoin cryptocurrency and other tokens, was exploited for more than $50 million on Sunday after vulnerabilities were found in a programming language used by its software.

Decentralized finance, or DeFi, allows for peer-to-peer transactions to be executed using blockchain technology without the need for middlemen such as banks with the use of self-executing software called smart contracts.

Curve Finance tweeted early Sunday that Vyper, a smart contract programming language, had a vulnerability in particular versions – 0.2.15, 0.2.16 and 0.3.0 – that would result in “a malfunctioning reentrancy lock.” The purpose of this lock is to prevent the same contract from being used multiple times to request funds.

The blockchain security firm PeckShield estimated, thus far, approximately $52 million in funds have been stolen from a number of different DeFi protocols including MetronomeDAO and Debridge Finance. Other analysis pinned their estimates even higher with numbers closer to $70 million.

According to the decentralized exchange Ellipsis, a small number of its “stablepools,” liquidity pools which store stablecoins for trading, had been using Vyper and been exploited. DeFi lending platform Alchemix lost approximately $13.6 million.

Decentralized finance security firm Dsecurity said that nonfungible token lending protocol JPG’d lost about $11 million worth of cryptocurrency in the exploit.

“There was an attack on the pETH-ETH curve pool,” JPG’d said on Twitter early Sunday. “The vault contracts allowing to borrow against NFTs are safe and still running solidly. NFTs and the treasury funds are safe. We’ll keep everyone updated as soon as we know better what is happening.”

Curve Finance is a decentralized exchange protocol that is optimized for stablecoin trading. Although it has been modified over time to cater to other cryptocurrencies it operates primarily as a way to assist with interchange between stablecoins and other currencies as a way to facilitate easy currency exchange, much in the way that people might when they fly to a different country and change their currency. Stablecoins are a useful form of exchange because they “peg” or maintain a one-to-one parity with another currency, such as the U.S. dollar so that one token is always $1.

As a result, stablecoins and Curve is widely used by numerous DeFi applications to allow users to exchange their native cryptocurrencies for stablecoins. An exploit of Curve’s liquidity pools could have a broad effect on the confidence in its current use.

More than $313 million in digital assets have been lost or stolen in crypto hacks and exploits in the second quarter of 2023, according to a report from blockchain security company CertiK. Compared with the second quarter of 2022, where hacks and exploits caused approximately $745 million in losses.

“We are assessing the situation and will update the community as things develop,” Curve said about the vulnerability. As to systems not using the exploitable Vyper versions Curve said, “Other pools are safe.”

Early this morning Curve reiterated that any DeFi application running on Vyper should immediately migrate to the most recent version, 0.3.7+. The team stressed that it has been “refactored and audited,” but noted that “this is not a guarantee.” However, it is better than being on contracts that are known to be vulnerable.

Image: Pixabay