Several stable pools on Curve Finance using Vyper were exploited on July 30, with losses reaching over $47 million. According to Vyper, its 0.2.15, 0.2.16 and 0.3.0 versions are vulnerable to malfunctioning reentrancy locks. “The investigation is ongoing but any project relying on these versions should immediately reach out to us,” Vyper wrote on X. Based on an analysis of affected contracts by security firm Ancilia, 136 contracts used Vyper 0.2.15 with reentrant protection, 98 contracts used Vyper 0.2.16 and 226 contracts used Vyper 0.3.0. According to initial investigation, some versions of the Vyper compiler do not correctly implement the reentrancy guard, which prevents multiple functions from being executed at the same time by locking a contract. Reentrancy attacks can potentially drain all funds from a contract. Vyper is a contract-oriented, pythonic programming language that targets the Ethereum Virtual Machine (EVM). Vyper’s similarities to Python make the language one of the starting points for Python developers jumping into Web3. A number of decentralized finance projects were affected by the attack.
Full story : Curve Finance pools exploited by over $47M due to reentrancy vulnerability.