- Some DeFi protocols on BNB Smart Chain have fallen victim to the Vyper attack previously targeting Ethereum-based platforms
- Malicious actors are using a vulnerability in some versions of the Vyper programming language that results in weak protection against reentrancy attacks
- Blockchain security platform BlockSec reported that roughly $73,000 has been siphoned in three exploits across BSC
Some DeFi protocols on BNB Smart Chain (BSC) have fallen victim to the Vyper attack recently used to terrorize Ethereum-based DeFi platforms. The attack hinges on a vulnerability in some versions of the Vyper programming language that results in a weak defense against reentrancy attacks. According to blockchain security platform BlockSec, attackers have already siphoned roughly $73,000 from three exploits on BSC.
Curve Finance Loses Over $45 Million in Vyper Attack
The failure to properly thwart the ability of a smart contract to allow and run untrusted external code was traced to three Vyper versions, 0.2.15, 0.2.16 and 0.3.0, with the malicious actors seemingly targeting platforms holding wrapped Ethereum (WETH).
— BlockSec (@BlockSecTeam) July 30, 2023
Being the most used language in the web3 scene, the weakness has caused popular DeFi platforms on Ethereum like Curve Finance to lose upwards of $45 million.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
Other pools are safe. https://t.co/eWy2d3cDDj
— Curve Finance (@CurveFinance) July 30, 2023
All WETH Across the Blockchain Space at Risk
According to BlockSec, the vulnerability potentially places all WETH in liquidity pools across the blockchain space at risk of being exploited. Although there have been attempts to recover part of the stolen funds, the efforts have so far managed to wrestle only a small section from the hands of the attackers.
Smart contract exploits account for a huge chunk of assets stolen in the web3 world. Two weeks ago, for example, over 200 Ethscriptions were stolen in a smart contract hack. Other DeFi platforms like Ronin and Wormhole have in the past lost $540 million and $320 million respectively through smart contract hacks.
With some DeFi hackers preferring a white hat bounty instead of keeping the entire loot, it’s to be seen whether the malicious actors exploiting Vyper weaknesses will follow the same path.