Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
DeFi lending protocol Alchemix said on Twitter that after receiving notification from Curve Finance that the altH/ETH pool was attacked due to a Vyper bug, Alchemix quickly began removing AMO-controlled liquidity from the Curve pool through the AMO contract. The exploit was performed on the Curve pool contract. The Alchemix smart contract has not been compromised in any way and funds are safe. executed on the contract. Three transactions are required: unstake LP tokens from Convex, withdraw alETH from Curve pool, and withdraw ETH from Curve pool. The first transaction above has been executed, and after the second transaction is executed, 8000 ETH is removed from the Curve pool. This means that there is still about 5,000 ETH liquidity controlled by AMO in the Curve pool. In the process of removing the remaining liquidity, the alETH/ETH Curve pool was drained by the attacker. Currently, the alETH reserve has lost about 5,000 ETH. On September 4th, Alchemix issued a document stating that a white hat MEV robot operator has returned 43.3 ETH profits obtained through arbitrage from the Curve alETH/ETH pool attack incident, which will be added to the redistribution of funds. Attack method (per SlowMist): Affected by Vyper Vulnerability. Reported loss: $ 35,315,843.
- chain
- —
- protocol
- Alchemix
- bug_class
- mev
- date_occurred
- 2023-07-30
- loss_usd
- $35,315,843
- source_id
- sm:alchemix::2023-07-30