On July 30, Curve Finance was hacked, resulting in damage to the liquidity pools of Curve (CRV), JPEG'd (JPEG), Alchemix (ALCX), and Metronome (MET). The total damage amounted to $61.7 million, but the attackers returned around $10 million. Approximately 94% of CRV token holders participated in compensating the losses for affected users.
To carry out the hack, the hackers exploited a vulnerability found in certain versions of the programming language Vyper, which is widely used for interacting with the Ethereum Virtual Machine (EVM). Vulnerable to replay attack transactions were versions of Vyper 0.2.15, 0.2.16, and 0.3.0.
In late November, a hacker attack also occurred on the Velodrome Finance trading protocol in the Optimism ecosystem. Developers had to temporarily suspend the project's operations until the identified vulnerability was addressed.
Comments