Could there be a ‘super-big bug’ at the root of DeFi? It’s possible, says Blockworks Research

Blockworks Research explains Curve was the “end target” of the hack and Vyper was the means by which it took place

by Darren Kleine /
article-image

Paulo Melo/Shutterstock modified by Blockworks

share

Anyone who’s ever played a loot-based game like Diablo has heard of the old trick “duping.” An unscrupulous player places something on the ground that they want to duplicate and then tricks the inventory system into forgetting about the item when it’s picked back up.

Although it’s generally frowned upon as cheating, the tactic is relatively inconsequential, considering it’s a video game, and the inventory from which it is “stolen” has no monetary value. But in the world of cryptocurrency, where real value is traded, exploits of a similar nature can have a much more serious impact. 

Such was the case with the recent attack on Curve’s DeFi ecosystem, which saw millions of dollars in tokens swiped from pools. The “re-entrancy attack” took advantage of vulnerabilities due to a bug in the compiler for Vyper, the programming language that Curve (CRV) uses for a number of smart contracts.

A re-entrancy attack doesn’t look quite the same as the old video game duping exploit, but it’s not far off. On a recent Empire podcast (Spotify/Apple), host Jason Yanowitz offers an analogy. 

“Suppose that there’s this mischievous person,” Yanowitz says, who walks into a bank. To exploit the system, the scammer requests a withdrawal and promptly receives their money, but before the teller can record it in a ledger, the culprit distracts them.

Newsletter

Subscribe to Blockworks Daily

While the teller is distracted, the cheat again asks for their withdrawal, at which point the teller hands over money in addition to the original funds. The process repeats with the astoundingly inattentive teller, allowing the thief to withdraw far more money than is actually in their account. 

Blockworks Research analyst Ren Yu Kong explains Curve was the “end target” of the hack and Vyper, like the confused teller, allowed it to happen. 

The blame game

Blockworks data editor Andrew Thurman adds that the person who approved the commit, allowing for the exploit to be executed, appears to have been a Curve developer. “It’s really tough to say it’s one team and not another team who should take the blame,” he says.

Read more: Curve’s Egorov turns to notable counterparties to bail out his DeFi positions

“These things are structures that are built on top of each other,” Thurman says. “You just assume that somebody smarter than you has done the legwork to make sure that everything’s good with the compiler.”

“Who is really at fault at the end of the day is, I think, a much more complicated question,” he says.

Yanowitz wonders if the problem extends to other protocols, considering many use the same smart contract language and compilers. Yu Kong takes things a step further. 

“We all know Solidity is probably the most used smart contract programming language within the EVM ecosystem.” In a recent audit, Yu Kong notes that several bugs were discovered in Solidity’s optional compiler optimization module. “Chances are that developers check the smart contract optimization box because they trust Solidity,” Yu Kong says.

“But over the years, starting all the way from late 2018, there’s been a significant number of high-severity bugs in that Solidity compiler,” he says. “So for all we know, there’s one super big bug in the Solidity optimizer.”

Even the best Big Tech companies in the world fall victim to zero-day exploits from time to time, Yu Kong says. “It’s really hard to write perfect code.” 

While Big Tech companies usually patch vulnerabilities quickly, the fact that a zero-day exploit can exist in such highly-developed software engineering environments is “pretty scary,” Yu Kong says. 

“The same, probably, is the case for any smart contract programming language.”

Get the news in your inbox. Explore Blockworks newsletters:

Tags

Upcoming Events

Digital Asset Summit 2025

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

Permissionless IV

Industry City | Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

buy ticketslearn more

Permissionless IV Hackathon

Brooklyn, NY

SUN - MON, JUN. 22 - 23, 2025

Blockworks and Cracked Labs are teaming up for the third installment of the Permissionless Hackathon, happening June 22–23, 2025 in Brooklyn, NY. This is a 36-hour IRL builder sprint where developers, designers, and creatives ship real projects solving real problems across […]

learn more

recent research

Research Report Templates (1).jpg

Research

Jupiter: Scale, Synergies, and Scrutiny

Jupiter has emerged as the undisputed liquidity backbone of Solana, commanding over 90% of spot DEX aggregation and 80% of perp trading volume. But behind the numbers lies a far more ambitious play: a cross-chain, vertically integrated super-app spanning swaps, synthetics, NFTs, memecoins, and launchpads. This report explores Jupiter’s rapid rise, the monetization upgrades reshaping its revenue profile, and the risks that could unwind its dominance, from token dilution to competition. With annualized revenues nearing $300M, the upside is undeniable, if it can navigate the turbulence.

by Marc-Thomas Arjoon, CFA

/

news

article-image

FinanceForward Guidance Newsletter

How a soon-to-launch crypto equity ETF looks to be different

Financial advisers in a January survey said equity ETFs were their top choice for gaining crypto exposure in 2025

by Ben Strack /
article-image

BusinessForward Guidance Newsletter

Tesla to kick off Mag 7 earnings as more companies withdraw guidance

“Why put a target out there that’s really speculative, not knowing exactly where this environment is going to go?” CarMax CEO Bill Nash said

by Casey Wagner /
article-image

OpinionThe Drop

Coinbase’s Jesse Pollak calls for ‘better OnlyFans on Base,’ apologizes for post about ‘pimping’

While the head of Base may support legal sex work, Coinbase policies prohibit said workers from using its exchange.

by Kate Irwin /
article-image

0xResearch NewsletterDeFi

Vitalik Buterin suggests replacing EVM with RISC-V to scale Ethereum

EVM bottlenecks fundamentally hold back Ethereum’s scalability

by Donovan Choy /
article-image

PeopleSupply Shock

WikiLeaks, Google and Bitcoin: What happened in 2011

In 2011, WikiLeaks faced a financial blockade imposed by the US government. It was Bitcoin’s first major test.

by David Canellis /
article-image

BusinessEmpire Newsletter

Exclusive: Kado Software acquired by Swapped.com

Kado’s founder Emery Andrew spoke to Blockworks about the acquisition and what’s next for the team

by Katherine Ross /