Overview
The BNB Smart Chain (BSC) has recently been subjected to identical attacks reminiscent of those on Ethereum, primarily due to a vulnerability inherent in the Vyper programming language. This sequence of events parallels the recent exploit aimed at the Curve Finance decentralized finance (DeFi) protocol.
A Growing Trend
Although Ethereum-based protocols traditionally experience a higher rate of exploitation activity, BlockSec reports indicate that BNB Smart Chain hasn’t been spared either. Blockchain security firm BlockSec disclosed on July 30 that copycat attackers managed to pilfer approximately $73,000 in cryptocurrencies from BSC, spread across three separate exploits.
In a related context, similar attacks aiming at liquidity reserves on Curve Finance have resulted in cumulative losses of a staggering $41 million, as estimated by BlockSec.
Origin of Vulnerability
The source of the security vulnerability is traced back to defective reentrancy locks in the Vyper programming language versions 0.2.15, 0.2.16, and 0.3.0. These versions are employed by numerous DeFi liquidity pools.
Vyper, known for its widespread application in Web3 projects, was specifically tailored for Ethereum Virtual Machines (EVMs). Given its broad utility, there’s a possibility that other protocols utilizing the compromised Vyper versions might be at risk too.
On-Chain Hacker Confrontations
The revelation of this exploit led to a digital cat-and-mouse chase, with white-hat and black-hat hackers pitted against each other on-chain. These cyber skirmishes were characterized by mutual disruptions, either thwarting exploit attempts or working towards the recovery of misappropriated funds.
White-Hat Intervention
An apparent white-hat hacker, operating under the pseudonym “c0ffebabe.eth,” managed to secure a portion of the misappropriated funds for protection. This individual made a public call on July 30 through an on-chain message, urging the impacted protocols to reach out and facilitate fund returns.
As of now, records indicate the recovery and return of nearly 2,900 Ether – valued over $5 million – to Curve in one particular transaction. Moreover, another noteworthy transaction observed c0ffebabe.eth transferring 1,000 ETH to what seems to be a fresh wallet, likely functioning as the aforementioned secure cold storage.
