- Vyper zero-day results in a Curve exploit.
- Michael Egorov tops up collateral on loans.
- EAS is now integrated into the OP Stack.
- An ENS user reclaims $74 million.
Optimism Highlights 🔴✨
EAS Integrated Into The OP Stack
Ethereum Attestation Service (EAS), an open-source tool for creating onchain and offchain attestations, is now available on the OP Stack. The integration allows users to register schemas and create attestations on OP Mainnet. Any chain deployed on the OP Stack will have now its own native EAS contracts.
Vyper Zero-Day Leads To Curve Exploit
A zero-day vulnerability in the Vyper smart contract programming language resulted in the exploit of nearly $70 million on various Curve Finance stablecoin pools. The vulnerability affected contracts written in Vyper versions 0.2.15, 0.2.16, and 0.3.0, allowing malicious actors to execute reentrancy attacks. Only stablecoin pools written using the vulnerable Vyper versions were impacted. The exploited pools include pETH/ETH, msETH/ETH, alETH/ETH, and CRV/ETH. Approximately $17 million of the drained funds were recovered through whitehat efforts. One notable white hat operation, led by Alchemix, successfully retrieved $11.5 million from the exploit. Additionally, an MEV bot operator, known as c0ffeebabe, managed to rescue $5.4 million. Despite the successful retrieval of a portion of the stolen funds, an estimated $50 million worth of assets remain at large. The vulnerability has been addressed and rectified in Vyper release, v0.3.1. Vyper, known for its Pythonic EVM smart contract language, is the second most popular language used by Ethereum developers. [Ppost-morterm].
Curve Founder Tops Up Collateral
Curve CEO Michael Egorov has increased the collateral on his personal DeFi positions amid a drop in the price of CRV due to the recent exploit. Egorov holds active loans on Inverse, Fraxlend, Abracadabra, and Aave V2, using CRV tokens as collateral. An attacker was able to acquire 7.1 million CRV tokens during the Curve exploit. Egorov's largest position is held on Aave V2, where he has a $69 million loan secured by $172 million worth of CRV collateral. If the price of CRV drops below $0.37, his Aave position will face liquidation. Since CRV liquidity is scarce, a liquidation would cause bad debt on Aave and could potentially lead to cascading effects across DeFi. Egorov has since paid back over $500k on his Fraxlend loan and also added more collateral to his positions on Abracadabra and Aave. Egorov even added a measly 288 ENS tokens as collateral. Aave has previously considered freezing CRV as a collateral type on Aave V2 in an effort to prevent further risk of bad debt.
User Claims $74 Million From ENS Deed Contract
The owner of the darkmarket.eth ENS domain retrieved 39,712 ether from the original ENS deed contract. The user had deposited the funds during the initial ENS domain auctions back in 2017. The wallet was also inactive for the past couple of years. Over 20,000 ether still remains unclaimed in the deed contract. The first iteration of the ENS registry sold domains through a Vickrey auction. Users were required to submit blind bids and the winner paid the price of the second-highest bid. Winners were then required to keep their bid locked in the deed contract for at least one year and for as long as they held their domain. ENS later upgraded its contracts in 2019, removing the need to keep winning bids locked.