The BNB Smart Chain (BSC) has fallen victim to copycat attacks, echoing the vulnerability found in the Vyper programming language, reminiscent of the exploit on the decentralized finance (DeFi) protocol Curve Finance. Reports indicate that the Blockchain security firm, BlockSec, tweeted about the theft of approximately $73,000 worth of cryptocurrencies on BSC across three separate exploits.
Coinciding with these incidents, similar exploits targeted liquidity pools on Curve Finance, resulting in losses exceeding $41 million according to BlockSec’s latest estimates. The root of the vulnerability lies in a malfunctioning reentrancy lock present in Vyper versions 0.2.15, 0.2.16, and 0.3.0, which are commonly used by various DeFi pools. Notably, Vyper is among the most extensively utilized programming languages for Web3 projects, and its association with the Ethereum Virtual Machine suggests that other protocols utilizing these afflicted Vyper versions could also be at risk.
The news of the exploit prompted the intervention of both white hat and black hat hackers, engaging in on-chain battles to disrupt each other’s exploit attempts or attempts to recover stolen funds. One notable white hat hacker, “c0ffebabe.eth,” managed to secure some funds for safekeeping. They issued an on-chain message inviting affected protocols to contact them for organizing the return of funds. To date, c0ffebabe.eth has already returned nearly 2,900 Ether, valued at over $5 million, to Curve in a single transaction. Furthermore, another transaction saw them moving 1,000 ETH to what appears to be a newly-created wallet, potentially a cold wallet for secure storage.
The recent copycat attacks on BSC and the vulnerabilities exposed in Vyper underline the importance of robust security measures within the DeFi space. As hackers continue to exploit weaknesses in smart contracts and programming languages, the need for comprehensive auditing and vigilance is crucial to safeguard the assets and funds of users and protocols alike. Developers and stakeholders within the DeFi ecosystem must remain vigilant in their efforts to identify and address vulnerabilities promptly to protect against potential exploits and losses.