Exploited MEV Bot Causes $2M Loss in Curve Pool Swap: Data
According to PeckShield Alert, an unknown Mining Extractable Value (MEV) bot has been the victim of a hack, resulting in a loss of nearly $2 million.
The incident in the famous curve pools led to many large swaps and subsequent arbitrage swaps.
The attacker controls the curve pool
The exploit occurs when the arbitrage implementation 0xf6ebebbb() lacks proper authentication, leaving an open door for an attacker to swap over multiple curve pools. This malpractice resulted in massive slippage, resulting in huge losses to the affected parties.
#MEV An unknown MEV bot (at a loss of #2m) was used to make several large swaps in #curve pools, creating a simple reverse swap. pic.twitter.com/vu1CaxSrdt
— PeckShieldAlert (@PeckShieldAlert) November 8, 2023
As the situation unfolds, the attacker maliciously modifies the swap to maximize their profits, exacerbating the impact of this phenomenon.
The attacker used an arbitrage bot to cause a loss of $2.3 million in Curve Pool. They found an exploit in the bot, which allowed them to start trading Bundle Ether (WETH) to Bundle Bitcoin (WBTC).
They then executed a flash loan for 27,255 WETH (equivalent to $51.36 million) using the WETH/WBTC price ratio in the curve pool to significantly manipulate it.
By disrupting the pool, the attacker forced the arbitrage bot to convert 1,339.8 WETH (approximately $2.52 million) to 6.95 WBTC (approximately $244,000).
It should be noted that the MEV bot owner had already cashed out of the contract before the attack.
Exploits before curve finance
In the year On July 30, 2023, a series of exploits occurred in Pool Finance pools, resulting in losses of approximately $70 million. This incident raised significant concerns in the DeFi community. The attacks were made possible by vulnerabilities in Vyper, a third-party Pythonic programming language used by Ethereum smart contracts, including Curve and other decentralized protocols.
It should be noted that after the initial incident, both white hat hackers and Mineable Extractable Value (MEV) bot operators collaborated to recover a portion of the lost funds. As a result, the final value of the losses may be lower than the initial reports indicated.
In less than a week of the exploit, the hacker returned 4,820 alETH and 2,258 ETH to Alchemix, which is approximately $12.7 million.
In the year On August 6, 2023, Curve Finance announced via Twitter that the deadline for the hacker to voluntarily return the remaining funds had passed. As a result, the company has offered a $1.85 million reward for anyone who can identify the hacker.
Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off your first month of Binance Futures (terms).