Multiple projects have been hacked, and the losses due to the Vyper reentrancy lock vulnerability have exceeded $59 million. Is your money still safe?

Source: Beosin

On the evening of July 30, 2023, multiple projects faced their darkest hour.

Around 21:35 on July 30, according to Beosin's Beosin EagleEye security risk monitoring, warning, and blocking platform, the NFT lending protocol JPEG'd project was attacked.

While the Beosin security team was analyzing the situation, several other projects were also compromised.

Around 22:51 on July 30, the msETH-ETH pool was hit by hackers.

Around 23:35 on July 30, the alETH-ETH pool was similarly breached.

Subsequently, the liquidity pools belonging to DeFi projects Alchemix and Metronome were also attacked.

The same attack method was exploited multiple times; what exactly went wrong?

The Reason Multiple Projects Were Attacked: Is it Vyper?

According to a tweet from the Ethereum programming language Vyper on the early morning of July 31, Vyper versions 0.2.15, 0.2.16, and 0.3.0 have vulnerabilities in their reentrancy locks, and the native ETH can trigger callbacks during transfers, leading to reentrancy attacks on these LP pools associated with ETH.

Following this, Curve's official Twitter account stated that due to the failure of the reentrancy lock, many stablecoin pools using Vyper 0.2.15 (alETH/msETH/pETH) were attacked, but other pools were safe.

Analysis of Attacked Projects by Beosin Security Team

The following are the relevant transactions involved in this hacking incident: ● Attack transactions: 0xc93eb238ff42632525e990119d3edc7775299a70b56e54d83ec4f53736400964 0xb676d789bb8b66a08105c844a49c2bcffb400e5c1cfabd4bc30cca4bff3c9801 0xa84aa065ce61dbb1eb50ab6ae67fc31a9da50dd2c74eefd561661bfce2f1620c 0x2e7dc8b2fb7e25fd00ed9565dcc0ad4546363171d5e00f196d48103983ae477c 0xcd99fadd7e28a42a063e07d9d86f67c88e10a7afe5921bd28cd1124924ae2052 ● Attackers' addresses: 0xC0ffeEBABE5D496B2DDE509f9fa189C25cF29671 0xdce5d6b41c32f578f875efffc0d422c57a75d7d8 0x6Ec21d1868743a44318c3C259a6d4953F9978538 0xb752DeF3a1fDEd45d6c4b9F4A8F18E645b41b324 ● Attacked contracts: 0xc897b98272AA23714464Ea2A0Bd5180f1B8C0025 0xC4C319E2D4d66CcA4464C0c2B32c9Bd23ebe784e 0x9848482da3Ee3076165ce6497eDA906E66bB85C5 0x8301AE4fc9c624d1D396cbDAa1ed877821D7C511

Vulnerability Analysis

According to the Beosin security team's analysis, this attack primarily stemmed from the failure of the anti-reentrancy lock in Vyper 0.2.15. The attacker was able to call the removeliquidity function of the relevant liquidity pools to remove liquidity and then re-enter the addliquidity function to add liquidity. Since the balance update occurred before re-entering the add_liquidity function, it led to incorrect price calculations.

Attack Process

Taking the msETH-ETH-f pool attacked in transaction 0xc93eb238f as an example.

In the hacker's preparation phase, they first borrowed 10,000 ETH through a flash loan from balancer:Vault as attack funds.

Attack Phase:

1. First, the attacker calls the add_liquidity function to add the borrowed 5000 ETH into the pool.

2. Next, the attacker calls the removeliquidity function to remove ETH liquidity from the pool and re-enters the addliquidity function to add liquidity again.

3. Third, due to the balance update occurring before re-entering the addliquidity function, it led to incorrect price calculations. Notably, both the removeliquidity and add_liquidity functions had implemented anti-reentrancy locks to prevent re-entrance.

4. Therefore, the anti-reentrancy mechanism did not function as intended. By examining the vulnerable Vyper code shown on the left in the image below, it can be seen that when the name of the reentrancy lock appears a second time, the storage_slot's original count increases by 1. In other words, the first time the lock is acquired, the slot is 0, but when another function uses the lock, the slot becomes 1, rendering the anti-reentrancy lock ineffective at that point. https://github.com/vyperlang/vyper/commit/eae0eaf86eb462746e4867352126f6c1dd43302f

Fund Statistics

As of the time of this publication, the funds lost in this attack have exceeded 59 million USD. Beosin KYT** has monitored that the address c0ffeebabe.eth has returned 2879 ETH, while the stolen funds remain on multiple attackers' addresses.**

Subsequent Impact

Regarding the impact of this incident, on July 31, Binance founder Zhao Changpeng (CZ) tweeted that CEX price feeds saved DeFi. Binance users were not affected. The Binance team has checked for Vyper reentrancy vulnerabilities. Binance only uses version 0.3.7 or above. It is crucial to keep the codebase, applications, and operating systems up to date.

On July 31, Curve tweeted that due to issues with the Vyper compiler in versions 0.2.15-0.3.0, CRV/ETH, alETH/ETH, msETH/ETH, and pETH/ETH were attacked by hackers. Additionally, the Arbitrum Tricrypto pool may also be affected; auditors and Vyper developers have not yet found exploitable vulnerabilities, but please withdraw from using it.

It is evident that the impact of this incident is still ongoing, and users with funds in these pools need to exercise caution.

In response to this incident, the Beosin security team recommends: Currently, the reentrancy locks in Vyper versions 0.2.15, 0.2.16, and 0.3.0 are all ineffective, and it is advised that relevant project parties conduct self-checks. After a project goes live, it is strongly recommended that project parties continue to monitor vulnerability disclosures for third-party components/libraries to timely mitigate security risks.