CertiK: Detailed explanation of Vyper's $52 million loss

Vulnerabilities in Vyper versions 0.2.15, 0.2.16, and 0.3.0 have been reported, putting many pools on Curve at risk of reentrancy attacks. This vulnerability allows an attacker to call the add liquidity function during the liquidity removal process.

A total of $69.3 million has been affected so far, of which $16.7 million has been recovered by white hat hackers. This also means that $52 million has been stolen from this incident, making it the largest reentrancy attack so far in 2023.

Event Summary

On July 30, 2023, versions 0.2.15, 0.2.16, and 0.3.0 of the Vyper compiler, a contract-oriented programming language designed for the Ethereum Virtual Machine (EVM), were announced to have reentrancy lock failure vulnerabilities. Multiple DeFi projects were affected by the bug, with losses totaling $52 million.

CertiK has identified six addresses involved in the incident. The first one (0x172) failed to exploit the vulnerability in block 17806056. The original exploiter withdrew 0.1 ETH from Tornado Cash and proceeded to create the attack contract. However, a leading wallet (0x6Ec21) paid more gas fees and executed the transaction first, earning about 6,100 WETH ($11.4 million).

Vulnerability of pre-transaction failure by MEV robot Source: Etherscan Etherscan

The breach led to further losses: EOA 0xDCe5d acquired assets worth approximately $21 million. The details of the wallet involved are as follows:

A total of six projects were affected, with approximately $69.3 million stolen, of which $16.7 million was returned, for a total loss of approximately $52 million.

What is Vyper

Vyper is a contract-oriented pythonic programming language for the Ethereum Virtual Machine (EVM). Vyper has been in beta since 2017, but its first non-beta release was version 0.2.1 in July 2020.

Solidity, the dominant language in the Ethereum ecosystem, has been around much longer than Vyper, so many community members have created tools that run exclusively with Solidity. According to data from DeFiLlama, of the total locked value (TVL) of approximately US$70 billion in DeFi protocols, Vyper smart contracts accounted for US$2.17 billion, while Solidity accounted for the vast majority, as high as US$67.49 billion.

Total locked value by language source: DeFiLlama

As of May 10, 2023, Vyper’s dominance has fallen from a high of 30% in August 2020 to 6.27%. Even though Vyper’s TVL dominance was significantly lower than Solidity’s, the event still resulted in a $62 million hit.

Dominance of different programming languages in TVL Source: DeFiLlama

Compiler version

A compiler version refers to a specific version of a programming language compiler that converts human-readable source code into machine-readable code.

Compiler versions are regularly updated to introduce features, fix bugs, and enhance security. Vyper Language currently does not offer a hacker bug bounty program.

Version 0.2.15 - 0.3.0

As mentioned above, vulnerabilities were found in Vyper versions 0.2.15, 0.2.16 and 0.3.0, which resulted in multiple DeFi projects being re-entrant attacks.

The earliest Vyper exploit version 0.2.15 was released on July 23, 2021. By the time version 0.3.1 was released in December of the same year, the previous vulnerability had ceased to exist.

timeline

The incident first started at 9:10 p.m. Beijing time on July 30. The attacker’s transaction for the JPEG’d pool on Curve failed due to pre-running transactions.

At 10:00 pm on July 30th, Beijing time, JPEG’d confirmed that the pETH-ETH Curve pool has been maliciously used.

Vyper subsequently announced that versions 0.2.15, 0.2.16 and 0.3.0 included a broken reentrancy lock. Metronome and Alchemix were also affected after Vyper tweeted.

Metronome DAO Announcement:

In the early hours of the second day Beijing time, Curve Finance announced on Discord that the remaining fund pool is not affected by the Vyper Bug and is safe.

Curve Finance announced on Twitter that a pool on Arbitrum was potentially compromised, but there were no profitable exploits for malicious actors to execute, meaning the pool was unlikely to be compromised. CertiK has also not detected any other attacks exploiting the Vyper vulnerability.

Attack process

Here’s an example of a deal targeting JPEG’d:

Attacker: 0x6ec21d1868743a44318c3c259a6d4953f9978538

Attack contract: 0x466b85b49ec0c5c1eb402d5ea3c4b88864ea0f04#code

1 The attacker first borrows 80,000 WETH (about $149,371,300) from Balancer: Vault

2 Then, the attacker swaps WETH for ETH, calls pETH-ETH-f.add_liquidity(), and adds 40,000 ETH (about $74,685,650) to the pETH-ETH-f pool. In return, the attacker received 32,431 pETH (pETH-ETH-f).

3 The attacker calls remove_liquidity() to remove the liquidity added in step 2. 3,740 pETH and 34,316 ETH were transferred to the attack contract, and the fallbak() function of the attack contract was triggered, giving control to the attacker. In the fallback() function, the attacker added another 40,000 ETH of liquidity to the pETH-ETH-f pool and received 82,182 pETH.

4 The attacker calls remove_liquidity() again, takes out 10,272pETH, and receives 47,506 ETH and 1,184pETH. The attacker then exchanged 4,924 pETH for 4,285 ETH in the pETH-ETH-f pool.

In total, the attacker obtained 34,316 ETH from step 3, 47,506 and 4,285 ETH from step 4, for a total of 86,107 ETH. After repaying the 80,000 ETH flash loan, the attacker was left with 6,107 ETH (~$11,395,506).

Vulnerabilities

This vulnerability allows an attacker to call the add liquidity function during the liquidity removal process. While these functions are supposed to be protected by @nonreentrant(‘lock’), tests on the add_liquidty() and remove_liquidity() functions proved that it does not prevent reentrancy attacks.

Vyper_contract for Curve.fi Factory Pool Data source: Etherscan

Vyper versions v0.2.15, v0.2.16 and v0.3.0 do have a reentrancy protection failure vulnerability following the exploits of JPEG’d, Metronome and Alchemix.

solution

Projects using vulnerable Vyper versions should contact Vyper for assistance with mitigation. Projects should also try to upgrade to the latest version of Vyper that does not contain this vulnerability.

Summarize

The attack on Vyper is the largest reentrancy vulnerability detected by CertiK in 2023. In terms of financial losses, this attack accounted for 78.6% of such incidents.

The two largest reentrancy vulnerabilities of the year both exploited contracts written in Vyper, although the vulnerabilities were not identical.

Currently, losses due to reentrancy attacks across all chains in 2023 have exceeded $66 million. That’s about $4 million more than for all of 2020 and just $1 million less than the 2021 loss. Notably, the 2023 total also represents a 259.45% increase in losses due to retargeting attacks in 2022.