Update: According to the recent update from ZachXBT, the developer, who has chosen to remain anonymous, had his contracts drained by the hacker and is a victim himself, not an exploiter.
Today, prominent blockchain sleuth ZachXBT and the team behind the JPEG’d project contacted a person they believe might be linked to the Curve hack with a proposed white hat bounty. According to the Web3 detective, the developer address is "tied on-chain to the recent Curve Pool exploit" that took place on July 30 due to the reentrancy vulnerability in the Vyper contract-oriented programming language.
ZachXBT has not revealed any particular details about the developer who may be responsible for the attack on Curve, a decentralized exchange based on liquidity pools. Yet, some members of the crypto community on Twitter have identified the programmer as a contributor to the web3.py Python library designed to interact with Ethereum as well as the Bancor network, which is "an ecosystem of decentralized, open-source DeFi protocols that foster on-chain trading and liquidity," according to the project’s official website.
Read also: ZachXBT receives threats amid preparations for legal battle against MachiBigBrother
The developer's response to JPEG’d, "an experimental protocol bridging the gap between DeFi and NFTs," is still unknown. Interestingly, the JPEG’d team previously announced that the project’s contracts were not affected by the hack, while "the vault contracts that allow borrowing against NFTs were secure and still running solidly" and "NFTs and the treasury funds were safe."
Although blockchain analytics firm CertiK reports that white hats have managed to recover nearly $17 million of the $69.3 million Curve lost, the company claims the incident has been "the largest reentrancy attack so far in 2023."
Read also: Total losses from hacks drop fourfold compared to 2022
One of the most notable recovery actions was the acquisition of 2,800 ETH worth $5.2 million at press time by a mev bot run by the pseudonymous white hat Coffeebabe.eth. Mev bots are designed to explore the blockchain and conduct transactions that could be profitable for traders with larger amounts of gas. The one developed by Coffeebabe.eth managed to complete the transaction before the hacker and its deployer reportedly returned the cryptocurrency to Curve.
At the time of publication, there were several versions of Vyper, the language developed specifically for the Ethereum Virtual Machine. As per CertiK, three of them, 0.2.15, 0.2.16, and 0.3.0, "were vulnerable to malfunctioning reentrancy locks," which allowed hackers to perform a "reentrancy attack targeting the pETH-ETH-f pool."
This form of exploitation is possible due to a reentrancy vulnerability that allows hackers to call a function multiple times while its previous call has not yet been completed. As in the case of Vyper, this provides the opportunity to drain funds. According to CertiK, the add and remove liquidity functions used in Vyper lacked the "nonReentrant" modifier, which is crucial to prevent smart contracts from calling themselves.
Meanwhile, the most current versions of code libraries seem to be resistant to this type of an attack. Fortunately, some of the major platforms that use Vyper have managed to update their applications in time. One of them is crypto exchange giant Binance, which stated that it used Vyper version 0.3.7 and higher at the time of the exploit. CertiK strongly recommends that projects using the versions of Vyper that contain the vulnerability upgrade to the latest versions of the language.
