Lines of code

Vulnerability details

Impact

The Curve TriCrypto adapter contract enables swapping, adding liquidity, and removing liquidity for the USDT-WBTC-ETH pool on Arbitrum. However, this pool has been flagged for potential exploit risks. Curve Finance issued a warning:

    This pool might be at risk of being exploited. While security researchers have not identified a profitable exploit, we recommend exiting this pool. https://twitter.com/CurveFinance/status/1685925429041917952

According to Vyper, its 0.2.15, 0.2.16, and 0.3.0 versions contained issues making some smart contracts vulnerable to re-entrancy attacks, in which attackers can trick the contracts into incorrectly calculating balances, allowing them to steal funds held by the contracts’ protocols. For details of the hack, please check: <https://www.chainalysis.com/blog/curve-finance-liquidity-pool-hack/&gt;

The TriPool uses Vyper version 0.2.15: <https://arbiscan.io/address/0x960ea3e3c7fb317332d990873d354e18d7645590&gt;
Using the adapter for transactions in this pool may lead to a loss of user funds, as it permits adding liquidity to the potentially vulnerable pool.

#Proof of Concept

Tools Used

Manual

Recommended Mitigation Steps

Do not integrate Ocean into this particular TriCrypto pool on Arbitrum due to the highlighted security concerns.

Assessed type

Context

The text was updated successfully, but these errors were encountered:

All reactions