KOL Gualian Daily (So this is the true picture of the Curve Finance stablecoin pool attack?) - 7.31

Yesterday, an enthusiastic netizen who did not want to reveal his Twitter name sent a document that detailed the reasons why Curve Finance was attacked! Let’s take a look below 🧐

The enthusiastic netizen revealed that the main problem of Curve Finance's attack was the reentrancy lock of the smart contract language vpyer. The reentrancy lock itself is to prevent reentrancy attacks. The famous "DAO" incident was caused by hackers using a vulnerability in Solidity and using a reentrancy attack.

A reentrancy attack is when a contract function is called and the function is recursively called during the function execution process to control the execution flow.

In the DAO event, there is a logic vulnerability in the withdraw function:

1. Modify user balance

2. Transfer

However, after the transfer operation modifies the balance, the attacker can recursively call the withdraw function after receiving the transfer. In this way, the attacker can transfer money again before the balance is reduced and steal the excess funds.

Let’s get back to the Curve Finance incident

There is a module in vpyer that can prevent this type of attack, but this module had a problem this time. Judging from GitHub, it is most likely a bug introduced by version iteration.

The 3 versions they mentioned are exactly 3 consecutive versions

This version of the problem, someone raised an issue back then

The main contents are:

1. After upgrading from Vyper 0.2.12 to 0.3.1, it was found that the contract storage layout had changed.

2. The original contract uses a transparent and upgradeable proxy mode to achieve upgrades, and the current implementation is completed under 0.2.12.

3. Directly upgrading the compiler version will destroy the existing contract storage layout and cause the proxy to fail.

It happened to be a major version iteration, from 0.2.x to 0.3, which introduced an incompatibility issue that caused the reentry lock to fail. Unfortunately, Curve Finance used this version, causing it to fail.

The reason why Curve Finance was attacked was roughly this process. The enthusiastic netizen said that no one had discovered it before, and those who could discover it were very awesome.