Millions stolen from crypto platforms through exploited ‘Vyper’ vulnerability

Millions of dollars worth of cryptocurrency were stolen from several platforms over the weekend after hackers exploited a vulnerability in a programming language used widely in the cryptocurrency world.

Vyper — one of the most popular Web3 programming languages — is used to create blockchain smart contracts, but on Saturday its developers warned that versions 0.2.15, 0.2.16 and 0.3.0 are vulnerable to an issue in which hackers manipulate smart contracts in order to drain account funds

“The investigation is ongoing but any project relying on these versions should immediately reach out to us,” they said.

Decentralized finance (DeFi) platform Curve Finance said in a post-mortem on Monday that at least $61 million worth of cryptocurrency was stolen from the platform through the vulnerability.

Some “white hat” hackers have been able to claw back a portion of the stolen funds, but the platform is attempting to reach out to the exploiters in an effort to get them to return the stolen cryptocurrency.

“The Curve team will continue to explore all avenues for the recovery of user funds and updates on the situation will be made on the social channels,” the company said in a blog post. Bloomberg reported on Monday that in addition to the funds stolen from the platform, $1.5 billion was also removed for safekeeping after Curve Finance tweeted that users should withdraw their funds.

In addition to Curve Finance, several other platforms — like Ellipsis, Alchemix, and MetronomeDAO — were affected by the incident. Several blockchain security firms had differing estimates on the losses due to confusion about how much white hat hackers had been able to get back from the original hackers.

In a tweet shared by Curve Finance, one of the developers of Vyper explained that the hack was both sophisticated and unexpected.

“The worst thing about the Curve hack is this is not something a typical researcher would have looked for, they dug ‘deep’ in our release history to find an exploitable issue for a large protocol with many millions at stake. This took a significant amount of time to identify,” said the developer, who goes by fubuloubu on Twitter.

“I think it's on the order of weeks to months to find. The execution was fairly coordinated, perhaps by a small group or team. We might find more information soon, but I think it's reasonable to suspect that state sponsored hackers could be involved, due to the resources invested.”

Last month, it was revealed that North Korean hackers were behind the $35 million hack of crypto platform Atomic Wallet.

North Korea’s Lazarus hacking group has been one of the primary drivers of attacks on cryptocurrency platforms, using billions in stolen crypto to allegedly fund its nuclear weapons program.

Fubuloubu warned that cryptocurrency has contracted in recent months, forcing hackers to focus their efforts on a smaller number of remaining platforms and languages like Vyper.