Exploited MEV Bot Causes $2M Loss in Curve Pool Swap: Data

Curve Finance Hacker Returns $5.4 Million, But CRV Dumps 15%



According to PeckShield Alert, an unknown Mining Extractable Value (MEV) bot has been the victim of a hack, resulting in a loss of nearly $2 million.

The incident in the famous curve pools led to many large swaps and subsequent arbitrage swaps.

The attacker controls the curve pool

The exploit occurs when the arbitrage implementation 0xf6ebebbb() lacks proper authentication, leaving an open door for an attacker to swap over multiple curve pools. This malpractice resulted in massive slippage, resulting in huge losses to the affected parties.

Ledger

As the situation unfolds, the attacker maliciously modifies the swap to maximize their profits, exacerbating the impact of this phenomenon.

The attacker used an arbitrage bot to cause a loss of $2.3 million in Curve Pool. They found an exploit in the bot, which allowed them to start trading Bundle Ether (WETH) to Bundle Bitcoin (WBTC).

They then executed a flash loan for 27,255 WETH (equivalent to $51.36 million) using the WETH/WBTC price ratio in the curve pool to significantly manipulate it.

By disrupting the pool, the attacker forced the arbitrage bot to convert 1,339.8 WETH (approximately $2.52 million) to 6.95 WBTC (approximately $244,000).

It should be noted that the MEV bot owner had already cashed out of the contract before the attack.

Exploits before curve finance

In the year On July 30, 2023, a series of exploits occurred in Pool Finance pools, resulting in losses of approximately $70 million. This incident raised significant concerns in the DeFi community. The attacks were made possible by vulnerabilities in Vyper, a third-party Pythonic programming language used by Ethereum smart contracts, including Curve and other decentralized protocols.

It should be noted that after the initial incident, both white hat hackers and Mineable Extractable Value (MEV) bot operators collaborated to recover a portion of the lost funds. As a result, the final value of the losses may be lower than the initial reports indicated.

In less than a week of the exploit, the hacker returned 4,820 alETH and 2,258 ETH to Alchemix, which is approximately $12.7 million.

In the year On August 6, 2023, Curve Finance announced via Twitter that the deadline for the hacker to voluntarily return the remaining funds had passed. As a result, the company has offered a $1.85 million reward for anyone who can identify the hacker.

Special Offer (Sponsored)
Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off your first month of Binance Futures (terms).



Leave a Reply

Pin It on Pinterest