On July 30, Beijing time, it was discovered that there are serious vulnerabilities in some versions of the smart contract programming language Vyper. As a result, important projects including Curve Finance have been attacked.

According to the Twitter announcement of Vyper, an Ethereum smart contract programming language, three versions - 0.2.15, 0.2.16, and 0.3.0 - have serious vulnerability issues, causing their reentrancy lock function to fail. For blockchain projects, this issue may interrupt the execution process of contracts or lead to unpredictable results, thereby affecting the stability of the entire system. The Vyper team strongly advises all projects using these affected versions to immediately contact them for timely technical support and solutions.

However, the impact of this vulnerability has already occurred. Shortly after, the Curve team tweeted that stable pools using the Vyper 0.2.15 version, including alETH, msETH, and pETH, have suffered network attacks due to the failure of the reentrancy lock function. This vulnerability allows attackers to execute certain functions multiple times in a single transaction, potentially causing significant losses to related blockchain projects.

The Curve team also promises that other pools are safe. This vulnerability was never noticed during the previous development process until today. The token of Curve also plummeted, with an intraday decline of 15.45%.

!

Curve's Twitter statement.

Several projects have been affected. According to on-chain data monitoring platform Supremacy Alert, the NFT collateral protocol JPEG'd has been impacted by the reentrancy vulnerability, with stolen assets reaching around $10 million. Subsequently, two other on-chain security accounts, Paddles and Hexagate, also tweeted @ the JPEG'd project team, claiming that the transaction was a hacker transaction. This event caused the token value of JPEG'd to drop from stable around 0.00062 to 0.0003, and it has now rebounded to 0.00049, with a daily decline of 21.63%.

JPEG'd token price. Source: Coinmarketcap

The JPEG'd project team also responded after the release of Curve, claiming, "Our protocol is not within the scope of this hacking event, our developers are very talented."

In addition, two other project teams have also been affected: according to Hexagate, the lending project AlchemixFi and the DeFi protocol MetronomeDAO have also been attacked, with attackers making profits of $13 million and $1.6 million, respectively. Both projects issued statements in the first time, with Alchemix claiming to have noticed the hacking event, which may cause instability in the project's token price, and advising LP to withdraw liquidity from the pool as soon as possible.

MetronomeDAO, on the other hand, stated, "Providers who provide liquidity on msUSD and Optimism users who interact with msETH on Velodrome should be aware that their positions have not been affected. In addition, all Metronome deposits and open positions have not been affected by this event."