Exploited MEV Bot Incurs $2M Loss in Curve Pool Swaps: Data

According to PeckShield Alert data, an unknown Miner Extractable Value (MEV) bot has fallen victim to a hack, causing a loss of approximately $2 million.

The incident, which took place in the renowned curve pools, has led to multiple large swaps and subsequent reverse swap arbitrage.

Attacker Manipulates Curve Pool

The exploitation occurred when the arbitrage function, 0xf6ebebbb(), lacked proper authentication, providing an open door for the attacker to manipulate swaps across multiple curve pools. This malicious activity resulted in significant slippage, causing substantial losses for the affected parties.

#MEV An unknown MEV bot was exploited (with $2m loss) to make multiple large swaps in #curve pools, causing arb with simple reverse swaps.https://t.co/POY91xvwC4 pic.twitter.com/vu1CaxSrdt

— PeckShieldAlert (@PeckShieldAlert) November 8, 2023

As the situation unfolded, the attacker cunningly reversed the swaps to maximize their profits, compounding the impact of this incident.

The attacker exploited an arbitrage bot, resulting in a loss of $2.3 million through the Curve pool. They discovered an exposed function within the bot, which enabled them to trigger a transaction from Wrapped Ether (WETH) to Wrapped Bitcoin (WBTC).

Subsequently, they executed a flash loan for 27,255 WETH (equivalent to $51.36 million), utilizing it to significantly manipulate the price ratio of WETH/WBTC within the Curve pool.

By destabilizing the pool, the attacker compelled the arbitrage bot to convert 1,339.8 WETH (approximately $2.52 million) into 6.95 WBTC (around $244,000).

It is important to note that the owner of the MEV bot had already withdrawn funds from the contract prior to the attack.

Curve Finance Prior Exploits

On July 30, 2023, a series of exploitations occurred in multiple liquidity pools on Curve Finance, resulting in losses of approximately $70 million. This incident raised significant concerns within the DeFi community. The attacks were made possible due to a vulnerability in Vyper, a third-party Pythonic programming language utilized by Ethereum smart contracts, including those of Curve and other decentralized protocols.

It is important to note that, following the initial incident, both white hat hackers and Miner Extractable Value (MEV) bot operators collaborated to recover a portion of the lost funds. As a result, the final value of the losses may be lower than the initial reports suggested.

Less than a week after the exploit, the hacker returned 4,820 alETH and 2,258 ETH to Alchemix, which amounted to approximately $12.7 million.

On August 6, 2023, Curve Finance announced via Twitter that the deadline for the hacker to voluntarily return the remaining funds had passed. As a result, the company extended its bounty offer of $1.85 million to anyone who could identify the hacker.