Witness history today. Well-known DEX protocol CurveFinance was attacked, and the liquidity of multiple pools was taken away. Preliminary investigation showed that it was the fault of the smart contract compiler Vyper! It was so outrageous that people couldn't help but exclaim. Preliminary statistics showed that the loss exceeded 50 million US dollars, and the instantaneous price of CRV platform token was close to zero!

Let me briefly explain to friends who don’t understand technology. When we use blockchain, we often deal with codes running on the blockchain. These codes are called “smart contracts.”

For a public chain like Ethereum that focuses on smart contracts, it has a set of standard codes for smart contracts for those who develop applications (also called dApps, decentralized apps) on it to write and run applications. For example, Uniswap and Curve are dApp applications running on Ethereum.

In order to make computers run more conveniently and save storage space, the standard code stored on the chain is a very compact binary number close to machine language, which is not convenient for humans to read and write directly.

In order to make it easier to open applications, many "high-level languages" that are easy for humans to read and write were invented to write programs. There were three on Ethereum. One with a syntax similar to LISP, which was not popular. One with a syntax similar to Python, which was strongly promoted by Vitalik (founder of Ethereum), called Vyper. The last one with a syntax similar to Javascript, called Solidity.

After programmers write smart contract programs in these high-level languages, they need to use a tool called a "compiler" to "translate" them into "machine language" that can run on the Ethereum blockchain, that is, standard code.

Obviously, different high-level languages ​​have their own compilers. This is easy to understand. The Japanese translation is definitely different from the English translation. The problem lies in the compiler/translator.

The reason why Curve was attacked this time was that a specific version of the Vyper compiler used by some of Curve's pools had a defect (suspected, and further investigation is still ongoing). This is like you said "I want to drink" in Japanese, but the translator translated it into Chinese as "I want to eat crabs". This is outrageous

Fortunately, Vyper is not very popular. Currently, Solidity is still the most widely used in Ethereum and compatible chains. The English translation is relatively clear and there are no translation errors, thank God.

In the earliest days of Uniswap, the leader of DEX, founder Hayden used Vyper language to write the code. Fortunately, Hayden later hired a professional CTO and changed the code to Solidity. Therefore, Uniswap was safe from the Vyper compiler issue this time. However, Curve Finance, which used Vyper language extensively, suffered.

The problem caused by this defect is the classic "reentrancy problem". Looking back to 2015, The DAO incident directly led to the hard fork of Ethereum, splitting it into ETH and ETC. It was this reentrancy problem that was truly a historical curse!

But the reentry problem of The DAO happened at the high-level language level. That is, you said it wrong in English. You said you wanted to eat crabs instead of drinking wine. The translator did not make a mistake.

The terrible thing about this Curve incident is that you said it right, but the translator translated it wrong, and you couldn’t understand it (the audit company would not review the compiled binary code), and as a result, a fatal BUG was introduced without anyone noticing! This also sounded a wake-up call for the entire DeFi industry and even the entire blockchain industry today!

Today, everyone, from code writers to code reviewers to third-party auditors, will not look at the compiled binary code. Everyone assumes that there will be no problems with the compiler, and as long as the high-level language is written correctly, it is considered to be fine.

Why didn't Satoshi Nakamoto expand the BTC script to include too powerful smart contract functions? It was to avoid unforgivable mistakes caused by increased complexity. Some people criticize BTC for being conservative, but when faced with assets worth millions, tens of millions, or even hundreds of millions of dollars, being cautious and conservative is not excessive. Most people are still ordinary people, and the loss of tens or millions of dollars is a fatal blow to anyone.

This also highlights the warning of Murphy's Law: Any link that can go wrong will go wrong if it takes enough time. Vyper is lucky this time. What about the future? What if Solidity has a fatal vulnerability? The entire DeFi, thousands of protocols, hundreds of billions of assets, and brilliant buildings are actually built on quicksand. In an instant, the firewood is cut off and all collapsed. Isn't it terrible?

Why is it difficult to go through the cycle? Before pursuing this or that dream goal, it is better to examine whether you can "live to that day." Many times, surviving is winning, and the survivors are the kings.