A vulnerability found in a programming language commonly used for smart contracts had led to tens of millions of dollars worth of token theft, as DeFi projects suffered another blow last week. Finance pools were hit hard not just by this hack, but also a meme coin rugpull that drained substantial amounts of liquidity.
The whole affair raised a fresh round of questions about whether DeFi projects are really ready for primetime, and had certain centralized exchange operators chuckling and gloating on social media.
Hack hits DeFi projects, BALD coin scalps finance pools
The least damaging of the incidents was the BALD coin rug pull. The coin was created as an apparent joke at the expense of Coinbase CEO Brian Armstrong, but quickly became a meme and shot up in value over a period of about 48 hours. That is until the creator took full advantage of the situation and pulled out, removing about $12.5 million in liquidity from LeetSwap finance pools. LeetSwap wasn’t done taking hits yet, however, with an additional $630,000 taken from it by a smart contract hack.
About half of the amount stolen in the hack has been secured, but the BALD creator has said that the $12.5 million is not coming back to DeFi projects unless a more secure exchange option is established.
Hack of Vyper language drains Curve finance pools
The Vyper programming language that underpins some Ethereum smart contracts was hacked in late July, leading to about $61 million being taken from assorted Curve finance pools. DeFi projects making use of versions 0.2.15, 0.2.16 and 0.3.0 of Vyper are vulnerable, which includes anything making use of wrapped Ether (WETH).
Curve itself took the largest loss, with 32 million CRV (about $22 million) stolen from its swap pool. A number of other finance pools were raided, in amounts ranging from about $10 million to several thousand dollars. But the Curve damage also threatened some $100 million in loans held by its founder, who retains 47% of the CRV tokens and has used them extensively for collateral. Though CRV ended up taking a substantial hit to its value (and crvUSA depegged for a short time), other DeFi projects swooped in with big purchases to help it stabilize and keep the overall ecosystem healthy.
The good news for Curve is that some $10 million of the stolen funds have been recovered, with a 10% bounty program appearing to have a very positive effect. The bounty offer has also just expanded to information that leads to the identification and conviction of any of the thieves.
While the overall damage from these incidents is not enough to sink any finance pools or DeFi projects, the rash of incidents in such a short time has once again put the spotlight on security issues in the space. DeFi is billed as a more secure crypto alternative due to the lack of custodial parties in the middle of transactions, but repeated hacks are raising alarms and causing many to re-evalute how the environment should be monitored and protected.