Flash Loan Attack on CRV-ETH Pool: White-Hat Hacker Saves $700k
In the world of decentralized finance (DeFi), security has always been a major concern. The recent incident involving the Curve Finance protocol once again highlights the vulnerabilities present in the DeFi space. On Twitter, the community discussed an event where a flash loan transaction exploited a weakness in the CRV-ETH pool. The tweet referred to the incident as “Another crv/eth bug lol. Whitehat saved $700k this time. Sickening. Nobody will ever trust DeFi again.”
another crv/eth bug lol.
whitehat saved $700k this time.
nobody will ever trust defi again
— Napgenus ursus🧸🎯 (@napgener) August 5, 2023
Flash loans are a type of lending mechanism unique to DeFi that allow users to borrow assets without posting any collateral, as long as the loan is repaid within the same transaction. This feature, while innovative, can also be exploited if smart contract code is not robust enough.
It appears that this particular flash loan attack leveraged the LP Token mechanism of the Curve protocol to create a loop and withdraw funds. However, in a positive turn of events, a white-hat hacker intervened to rescue the funds. The hacker, identified as Addison, along with collaborators NotDeGhost, epheph, and the Curve Finance team, successfully recovered approximately $700,000 (consisting of 371 ETH and 92.5k CRV) from the affected pool.
I along with @NotDeGhost, @CurveFinance team and @epheph have white-hatted ~$700k from the ETH/CRV pool (371 ETH and 92.5k CRV). Funds were sent atomically to the Aragon contract controlled by veCRV voters. They will be moved to a distribution contract for LPs to claim.…
— Addison (@0xaddi) August 5, 2023
The recovered funds were sent directly to an Aragon contract controlled by veCRV voters. Aragon is a platform that facilitates decentralized governance, and veCRV represents voting escrowed CRV tokens. By sending the funds to this contract, the assets are safeguarded under the control of trusted community members.
The team intends to transfer the rescued funds to a new distribution contract, allowing liquidity providers (LPs) to claim their assets securely. This approach demonstrates the commitment to transparency and fairness within the DeFi community and aims to restore confidence among users in the protocol.
It’s worth noting that this incident was not the first time Curve Finance faced a security breach. On August 4th, the hackers responsible for the previous attack began returning the stolen funds. As part of their commitment to promoting security, the Curve Finance team has pledged to reward 10% of the bug bounty to the hackers who return the assets they had stolen.
The incident underscores the importance of continuous auditing and improvement of DeFi protocols to mitigate risks and protect user funds. While the intervention of white-hat hackers in this instance is commendable, it should serve as a wake-up call to the DeFi community to remain vigilant and proactive in addressing potential vulnerabilities.
- Curve Finance To Halt CRV Rewards For Compromised Pools
- Curve Finance Proposes $7 Million Reward To Hacker For Returning Stolen Funds, 10% Of Total Losses
- Curve Finance Hackers Start Returning Stolen Funds