Cryptocurrency and DeFi protocols have faced increasing problems due to vulnerabilities and resultant loss of funds. As the problems have continued, those identifying it have contributed to the benefit of the cause of decentralized finance. In a big discovery, a cybersecurity expert identified a vulnerability in Curve Finance protocol which could be used for withdrawal of funds from the liquidity pool.
Cryptocurrency protocols and vulnerability
There has been an estimate of losses amounting to $758 million due to vulnerabilities in DeFi protocols in Q3 of 2023. There have been a staggering 116 cases which show that there is an urgent need for enhancement of security. A workforce needs to be deployed for this purpose to identify vulnerabilities and address problems.
In a recent discovery, Curve Finance protocol has identified a vulnerability in the DeFi system. The vulnerability is of historical importance as it has resulted in the loss of millions of dollars for years. The vulnerability has resulted in hackers’ access to the protocol’s liquidity pool and drawing out funds.
There have been a range of security attacks in 2023 and major areas of focus for hackers included smart contract vulnerabilities, reentry attacks, and Oracle manipulation attacks. The first one is of critical importance because if a hacker is able to identify a vulnerability, they can use it for negative purposes, affecting the funds and security of the protocol.
Claim of a key vulnerability in Curve Finance and other protocols came from a cybersecurity expert Marc Croc. Belonging to Kupia security, Marc Croc said that the vulnerability resulted in the loss of funds from the liquidity pool. The mentioned cybersecurity expert also added that it has led to the loss of millions from various protocols.
Reentrancy Vulnerability in Curve Finance
Reenetracy vulnerability was verified by the developers’ team from Curve Finance. In a detailed overview, they were able to identify and confirm it. According to official sources, the bug could manipulate the balances of a DeFi protocol. The manipulation of balances could also result in the withdrawal of funds from the liquidity pool.
According to Curve Protocol sources, the bug didn’t pose an existential threat but it could create panic if any such incident took place. Furthermore, the company believed that they could recover funds in case such an incident took place. In July Curve Finance was able to recover funds amounting to $62 million which had been stolen after a vulnerability was exposed to hackers.
Furthermore, the protocol members agreed to return assets valuing $49.2 million to liquidity providers. It announced the recovery of ETH assets, CRV, and other assets that were recovered by whitehat hackers.
Curve protocol has brought forward a proposal the community fund will supply CRV tokens. The attackers identified a vulnerability in the Vyper language where problems were found in versions 0.2.15, 0.2.16, and 0.3.0.
Developer rewarded $250K
It was a critical problem that would have created problems for the development team because of the increased panic amongst the users and investors. To face the problem promptly, a cybersecurity expert identified the problem, not revealing their identity.
Once the problem was confirmed, the protocol awarded the whitehat maximum bug bounty of $250K. The whitehat shared the details in the X thread, thanking Curve Finance. Furthermore, the account shared the details of how the vulnerability would affect the protocol.
Conclusion
In a recent tweet from a whitehat cybersecurity expert, Marc Croc announced the discovery of a vulnerability in Curve Finance. The development team confirmed and addressed the problem, announcing a bounty amount of $250K for the mentioned whitehat. Though the problem wasn’t an existential threat, it would have created a panic.