According to the Daily Planet, in response to the losses suffered by multiple projects due to the attack on some stablecoin pools of Curve, SlowMist founder Yu Xian commented that the bug in the smart contract language layer caused the reentry lock defense of some well-known projects to fail, and black and white hat hackers and MEV Bots went crazy, using various reentry manipulations and preemptive actions to take away funds. Fortunately, it was not Solidity that had problems this time, but the less popular Vyper.
Due to a recursive lock vulnerability that caused functional failure in some versions of Vyper (0.2.15, 0.2.16, and 0.3.0), the alETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH pools on Curve were attacked.
According to monitoring by Paidun, the DeFi lending protocol Alchemix, the DeFi public product JPEG'd, the DeFi synthetic asset protocol Metronome, the cross-chain bridge deBridge, the DEX Ellipsis on the BNB Chain using the Curve mechanism, and the Curve CRV/ETH pool have been attacked, with losses of approximately US$52 million.
Afterwards, the MEV robot c0ffeebabe.eth has returned 2,879 ETH (about 5.4 million US dollars) to the Curve.fi: Deployer address.