Could there be a ‘super-big bug’ at the root of DeFi? It’s possible, says Blockworks Research

Blockworks Research explains Curve was the “end target” of the hack and Vyper was the means by which it took place

by Darren Kleine /
article-image

Paulo Melo/Shutterstock modified by Blockworks

share

Anyone who’s ever played a loot-based game like Diablo has heard of the old trick “duping.” An unscrupulous player places something on the ground that they want to duplicate and then tricks the inventory system into forgetting about the item when it’s picked back up.

Although it’s generally frowned upon as cheating, the tactic is relatively inconsequential, considering it’s a video game, and the inventory from which it is “stolen” has no monetary value. But in the world of cryptocurrency, where real value is traded, exploits of a similar nature can have a much more serious impact. 

Such was the case with the recent attack on Curve’s DeFi ecosystem, which saw millions of dollars in tokens swiped from pools. The “re-entrancy attack” took advantage of vulnerabilities due to a bug in the compiler for Vyper, the programming language that Curve (CRV) uses for a number of smart contracts.

A re-entrancy attack doesn’t look quite the same as the old video game duping exploit, but it’s not far off. On a recent Empire podcast (Spotify/Apple), host Jason Yanowitz offers an analogy. 

“Suppose that there’s this mischievous person,” Yanowitz says, who walks into a bank. To exploit the system, the scammer requests a withdrawal and promptly receives their money, but before the teller can record it in a ledger, the culprit distracts them.

While the teller is distracted, the cheat again asks for their withdrawal, at which point the teller hands over money in addition to the original funds. The process repeats with the astoundingly inattentive teller, allowing the thief to withdraw far more money than is actually in their account. 

Blockworks Research analyst Ren Yu Kong explains Curve was the “end target” of the hack and Vyper, like the confused teller, allowed it to happen. 

The blame game

Blockworks data editor Andrew Thurman adds that the person who approved the commit, allowing for the exploit to be executed, appears to have been a Curve developer. “It’s really tough to say it’s one team and not another team who should take the blame,” he says.

Read more: Curve’s Egorov turns to notable counterparties to bail out his DeFi positions

“These things are structures that are built on top of each other,” Thurman says. “You just assume that somebody smarter than you has done the legwork to make sure that everything’s good with the compiler.”

“Who is really at fault at the end of the day is, I think, a much more complicated question,” he says.

Yanowitz wonders if the problem extends to other protocols, considering many use the same smart contract language and compilers. Yu Kong takes things a step further. 

“We all know Solidity is probably the most used smart contract programming language within the EVM ecosystem.” In a recent audit, Yu Kong notes that several bugs were discovered in Solidity’s optional compiler optimization module. “Chances are that developers check the smart contract optimization box because they trust Solidity,” Yu Kong says.

“But over the years, starting all the way from late 2018, there’s been a significant number of high-severity bugs in that Solidity compiler,” he says. “So for all we know, there’s one super big bug in the Solidity optimizer.”

Even the best Big Tech companies in the world fall victim to zero-day exploits from time to time, Yu Kong says. “It’s really hard to write perfect code.” 

While Big Tech companies usually patch vulnerabilities quickly, the fact that a zero-day exploit can exist in such highly-developed software engineering environments is “pretty scary,” Yu Kong says. 

“The same, probably, is the case for any smart contract programming language.”

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Permissionless III Hackathon

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

learn more

Permissionless III

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Permissionless is a conference for founders, application developers, and users. Come meet the next generation of people building and using crypto.

learn more

recent research

Research Report Templates (1).png

Research

Why Solana Mobile Should 100x Their Phone Production

Solana Mobile is a highly ambitious foray into the mobile consumer hardware market, seeking to open up a crypto-native distribution channel for mobile-first applications. The market for Solana Mobile devices has demonstrated a phenomenon whereby external market actors (e.g. Solana-native projects) continuously underwrite subsidies to Mobile consumers. The value of these subsidies, coming in the form of airdrops, trial programs, and exclusive NFT mints, have consistently covered the cost of the phone and generated positive returns for consumers. Given this trend in subsidies, the unit economics in the market for Mobile devices, and the initial growth rate and trajectory of sales, it should be expected that Solana mobile can clear 1M to 10M units over the coming years. As more devices circulate amongst users, Solana Mobile presents a promising venue for the emergence of killer-applications uniquely enabled by this mobile-first, crypto-native distribution channel.

by Luke Leasure

/

news

article-image

Markets

Gox Watch: Repayments now 39% complete with $5.4B left to go

Mt. Gox has made decent headway with repayments, but they could ramp up from here

by David Canellis /
article-image

Business

Ledger doubles down with second touchscreen-focused product

Firm known for crypto hardware wallets set to bring another touchscreen option to consumers

by Ben Strack /
article-image

Analysis

Empire Newsletter: Crypto’s next wave of smart money

Plus, BlackRock’s BUIDL is paying out steady yield — and those dividends are growing

by Katherine Ross&David Canellis /
article-image

DeFi

Jito unveils code for Solana restaking network

Solana’s biggest liquid staking provider takes a meaningful step towards restaking

by Jack Kubinec /
article-image

DeFi

Blast incentives aim to attract strong devs, as value leaks

BLAST token skids as Season 2 points plan earns mixed reviews

by Macauley Peterson /
article-image

Analysis

On the Margin Newsletter: Behind the most important economic paper of the year

Plus, a look at the top asset-gathering ETH ETFs after two days of trading

by Felix Jauvin&Ben Strack&Casey Wagner /