Recently, an unknown Miner Extractable Value (MEV) bot fell victim to a hack, resulting in an estimated loss of around $2 million, raising concerns about the security in Curve’ pools.
The incident occurred in the Curve pools, a DeFi protocol known for its asset exchange functionality.
The attacker was able to exploit an arbitrage function, 0xf6ebebbb(), which lacked proper authentication, allowing them to manipulate swap operations across multiple pools.
#MEV An unknown MEV bot was exploited (with $2m loss) to make multiple large swaps in #curve pools, causing arb with simple reverse swaps.
https://t.co/POY91xvwC4 pic.twitter.com/vu1CaxSrdt— PeckShieldAlert (@PeckShieldAlert) November 8, 2023
This malicious activity resulted in significant slippage in transactions and led to substantial losses for the affected parties.
The cunning of the attacker became evident when they reversed the operations to maximize their profits, further exacerbating the impact of the incident.
Consequences and Background of Hacking in Curve
The attack resulted in a loss of $2.3 million. The hacker discovered an exposed function in the bot that allowed them to execute a transaction from Wrapped Ether (WETH) to Wrapped Bitcoin (WBTC).
Subsequently, they conducted a flash loan of 27,255 WETH (equivalent to $51.36 million), using this loan to significantly manipulate the price ratio between WETH and WBTC within the Curve pool.
This manipulation destabilized the pool and forced the arbitrage bot to convert 1,339.8 WETH (approximately $2.52 million) into 6.95 WBTC (around $244,000).
It is important to note that the owner of the MEV bot had already withdrawn funds from the contract before the attack, indicating careful planning by the attacker.
This incident serves as a reminder that while DeFi continues to be a fertile ground for innovation, it is also a space where risks and vulnerabilities can have a significant impact.
Curve’s pools faced multiple attacks in July 2023, resulting in losses of approximately $70 million due to a vulnerability in the Vyper programming language used in Ethereum smart contracts, including those of Curve and other decentralized protocols.
After that attack, ethical hackers and MEV bot operators collaborated to recover some of the lost funds.