ZachXBT Tracks Down Developer Potentially Involved in Curve Exploit

/?utm

Today, prominent blockchain sleuth ZachXBT and the team behind the JPEG’d project contacted Michael Razoumovitch with a proposed white hat bounty. According to the Web3 detective, Razoumovitch’s address is “tied on-chain to the recent Curve Pool exploit” that took place on July 30 due to a reentrancy vulnerability in the middle of the Vyper contract-oriented programming language. ZachXBT has not revealed any specifics regarding the developer allegedly responsible for the attack on Curve, an open-sourced DeFi exchange, established on cryptocurrency pools. Twitter users have connected the developer to the web3.py Python library, as well as to Bancor’s network which is designed to facilitate an “ecosystem of decentralized, open-source DeFi protocols“. It remains unknown what was the developer’s response to “JPEG’d project“, an experimental protocol based on bridging between DeFi and NFTs. The JPEG’d creators previously stated that the contracts were safe and were not fall into “hacker’s scope”, while “the vault contracts that allow borrowing against NFTs were secure and still running strongly” Also, trustless Treasury funds and NFTs have never posed any risk.

Even though, blockchain analytics firm CertiK stated that white hats partially recovered the funds of almost $17 million from the total amount the attacker stole worth $69.3 million, CertiK classified the reentrancy attack as “the biggest and the most significant reentrancy attack so far” in 2020. Noteworthy, one of the largest and the most successful transaction was secure by the white hat mev Bot, designed to explore the blockchain, called Coffeebabe.eth. Mev bot, with the help of larger opportunity to earn with higher gas rate, managed to secure over 2,800 ETH worth of 5.2$ million according to the market value at the time of transaction.

At present time, the developers of Vyper published multiple versions of the programming language. As per CertiK study, older versions, such as 0.2.15, 0.2.16 and 0.3.0 have a specific form of exploit, called reentrancy. As typically present in Vyper, the reentrancy attack conducting exploitation by attacking pETH- ETH-f pool. The root of exploit laid inside of smart contracts, executed like malicious flow and allowed to drain the initiative funds by unwanted reentrancy holes created outside of the loop. Fortunately, due to quick logical reaction the leading platforms that use Vyper, like Binance, managed to upgrade and make fixes in 0.3.7 version and higher of Vyper in order to delete the issue. Additionally, CertiK highly encourage initiatives using the earlier version of Vyper that contain the hacking loophole to use latter codes with enhanced reconfiguration.

Yekatsiaryna Pshanichnaya-Kosowska

Tech-enthusiast with a passion for words, embracing nonviolence in the reflected world and online.

Robert Wilson author
Articles: 12200