ChainCatcher news, Web3 security company Certora announced a collaboration with the smart contract language Vyper team to make its Prover tool available to all users, helping to enhance the security of Vyper code.As key holders of the Vyper community, users will be able to use Certora Prover to verify Vyper code until December 31, 2023.

ChainCatcher message, the Ethereum programming language Vyper released a post-mortem analysis report regarding last week's vulnerability incident. The report indicated that on July 30, multiple Curve liquidity pools were exploited due to a potential vulnerability in the Vyper compiler, which was an improperly implemented reentrancy guard. The affected Vyper versions included v0.2.15, v0.2.16, and v0.3.0.Vyper stated that the vulnerability has been fixed and tested in version v0.3.1, and that v0.3.1 and later versions are safe. However, at the time, it was not realized that protocols using the vulnerable versions of the compiler would be affected, nor were downstream protocols notified in a timely manner.

ChainCatcher news, according to CoinTelegraph, three decentralized finance (DeFi) platforms including Curve, Metronome, and Alchemix have announced a joint initiative to recover funds that were recently exploited and stolen from Curve's liquidity pool. These protocols are offering a 10% bounty on the stolen funds and guarantee that there will be no further legal action or involvement from law enforcement. The three parties have provided a direct communication channel via email and urged the responsible parties to respond immediately.It is reported that the attack on Curve was caused by a critical vulnerability in a version of the Vyper programming language, raising concerns about a potential domino effect on the DeFi ecosystem.

ChainCatcher news, the DeFi lending protocol Sentiment officially announced that, considering the vulnerabilities recently disclosed by the Curve and smart contract language Vyper teams, the Sentiment protocol has been suspended as a precaution. Sentiment user funds are not exposed to the corresponding risks, and no further action is required.

ChainCatcher news, smart contract language Vyper contributor @fubuloubu commented on the Curve hacking incident, "Finding this vulnerability could take weeks to months, possibly carried out by a small group or team. We may find more information soon, but given the resources involved, I think there is reason to suspect that state-sponsored hackers may be involved."@fubuloubu stated, "Currently, there are only two compilers that are optimal; Vyper's codebase is smaller, easier to read, and has fewer changes to analyze its history, which may be why the hackers targeted it. The Solidity codebase is larger. Secondly, the compilers have not been reviewed or audited as much as people think. Most compilers undergo significant and frequent changes, which is not conducive to auditing.All of this points to the final issue: the incentive problem, that is, no one has the motivation to look for critical vulnerabilities in the compiler, especially in older versions.But this is not the end for Vyper or Curve; we must come together to address these types of public goods issues. Personally, I previously proposed a plan that would help improve Vyper by adding a user-sponsored bounty program."

ChainCatcher news, Binance CEO Changpeng Zhao stated on social media that Binance users are not affected. The Binance team has checked the Vyper reentrancy vulnerability and confirmed that only versions 0.3.7 or above are in use. It is very important to keep the latest codebase, applications, and operating systems updated. CEX pricing saved DeFi.

ChainCatcher news, the NFT lending protocol BendDAO announced that all BendDAO contracts are compiled with Solidity, not Vyper.Previous news, the Ethereum programming language Vyper announced that the recursive lock vulnerability in versions 0.2.15, 0.2.16, and 0.3.0 is currently under investigation.

ChainCatcher news, SlowMist's Chief Information Security Officer 23pds stated on Twitter: "The version recommended in the Vyper official documentation (installation interface) is an incorrect version."Earlier today, the Ethereum programming language Vyper announced that the recursive lock failure affects versions 0.2.15, 0.2.16, and 0.3.0. Curve Finance stated that due to the Vyper recursive lock failure, the stablecoin pool alETH/msETH/pETH was attacked. According to security agencies' monitoring, the Curve Finance attack has resulted in a loss of 52 million dollars.

ChainCatcher message, the BNB Chain eco DEX Ellipsis Finance using the Curve mechanism tweeted that a few BNB stable pools using the old version of the Vyper compiler were attacked and are currently under assessment.Earlier news, Curve Finance stated that due to a Vyper recursive lock failure, the stablecoin pool alETH/msETH/pETH was attacked. According to security agencies' monitoring, the Curve Finance attack incident has resulted in a loss of 52 million dollars.

ChainCatcher message, Curve Finance stated on Twitter that some stable pools (alETH/msETH/pETH) using Vyper 0.2.14 have been attacked due to a reentrancy lock failure. Currently, Curve is assessing the situation, and other pools are safe. Additionally, Curve further stated, "The dangerous combination is the affected Vyper version with the use of pure ETH."

ChainCatcher news, the Ethereum programming language Vyper tweeted that versions 0.2.15, 0.2.16, and 0.3.0 of Vyper are affected by a reentrancy lock failure, and the investigation is ongoing.