Vyper, Curve Exploit Post-Mortem
On July 30th at approximately 2:50pm UTC, Metronome’s msETH-ETH Curve pool was exploited as part of a broader attack on certain Curve pools. This attack was made possible by a vulnerability in the Vyper code compiler through which the pools were deployed. The following outlines the attack as it unfolded and the impact to liquidity providers on the Metronome pool.
The Attack at a Glance
A very sophisticated attacker uncovered an exploit taking advantage of a vulnerability in certain Vyper compiler versions that enabled the malicious draining of pools that met the following criteria:
- Deployed using vulnerable Vyper compiler versions (v0.2.15, v0.2.16, v0.3.0)
- Uses naked ETH as one of the pool assets
For a deeper breakdown on the vulnerability itself and the attack vector, please see the official Vyper post-mortem.
This vulnerability was out in the wild for roughly two years before it was taken advantage of. As such, there were a number of pools, including msETH, which were effected due to the unlucky timing of when the pools were deployed.
Timeline and Nature of Events
This exploit represents a novel situation in which the original attackers largely did not make any profit. Adversarial MEV bots found the attack transactions and frontran them. This was also a novel exploit in that the original attack spurred an arms race between black hats and white hats to find vulnerable contracts and execute operations on them.
The first attack happened on the JPEG’d pETH Curve pool on the same day, July 30, at approximately 2:10pm UTC.
The msETH pool was attacked roughly 40 minutes later. It is unclear if the attacker worked in coordination with the original one or if they were a copycat blackhat.
The transaction that kicked off the attack can be found here: https://etherscan.io/tx/0xe2eb61b1ff11e447b791e030039ce89ae294423da1622d0be8c7ec3b2ff1a22a
The attacker themselves did not receive any profit from the exploit. Instead, an MEV bot c0ffeebabe.eth targeted the attack transaction and frontran it with their own attack: https://etherscan.io/tx/0xc93eb238ff42632525e990119d3edc7775299a70b56e54d83ec4f53736400964
At the time of the attack, the msETH-ETH Curve pool held the following assets:
- 1395.56 msETH
- 867.25 ETH
The “c0ffeebabe” MEV bot withdrew the majority of assets through the pool using the attackers’ same transaction code. The total drained from the pool through this transaction was as follows:
- 959.7 msETH
- 866.55 ETH
This left the pool with the following assets remaining:
- 435.86 msETH
- 0.7 ETH
Due to the nature of Curve pools, this enabled another MEV bot to swap 0.0025 ETH for 435.13 msETH: https://etherscan.io/tx/0xf94cfb5ea08db7fe0b8eaaf3cfdf072f001c0310317b199a34d69a05dcd003ea
The above MEV transaction occurred at the same block as the exploit and was carried out in a similar manner to the c0ffeebabe transaction. Therefore the activity may be treated as stolen funds in the same regard as the original attack.
In that same MEV transaction, the bot sold their msETH into the frxETH-msETH pool for frxETH. They received 253.6 frxETH and similarly unbalanced the pool. And through this trade, they effectively “forfeit” ~180 msETH profit. Further arbitrage and LP activity absorbed the rest of these assets.
This user swapped 31 frxETH in total over several trades for 201 msETH.
Several LPers and traders earned further profit, although at a smaller amount than the values above.
Metronome Response & Reclamation of Funds
The Metronome team immediately became aware of the exploit and assembled a war room to assess the best response.
Our first responses included:
- Temporary shutdown of Metronome protocol to eliminate any possible contagion.
- Immediate forensics research to pinpoint as much of the funds as possible.
- Coordinate with relevant leaders from other protocols effected to bolster our efforts.
Within the first 24 hours, the team was able to trace down the end recipients of almost all of the stolen funds. Efforts began with “c0ffeebabe” and other relevant parties.
Across several transactions in the early morning July 31, c0ffeebabe returned the majority of all funds received, keeping a small percentage as a whitehat bounty. In total, c0ffeebabe returned:
- 786.5 ETH
- 955 msETH
Through additional efforts, Metronome recovered 157,500 USDC on Aug 4. Those USDC were swapped for approximately 86.5 ETH
Recapitalization of the Pools
Following the initial return of funds, Metronome created a new Curve pool: msETH-WETH, and seeded it with all reclaimed funds. Proper steps have been taken across Curve and Convex to make the pool eligible for ecosystem incentives with minimum delay.
At the time of writing, the assets corresponding to that supplied LP is:
- 1,090.48 msETH
- 740.20 WETH
This LP will be distributed entirely to affected LPers as part of our efforts to remediate the uses as much as possible.
Metronome continues to pursue the remaining outstanding funds. And the team is additionally supportive of remediation efforts spearheaded by Vyper and Curve.
Specific instructions pertaining to how these funds will be redistributed will be shared soon.