The Curve TriCrypto adapter contract enables swapping, adding liquidity, and removing liquidity for the USDT-WBTC-ETH pool on Arbitrum. However, this pool has been flagged for potential exploit risks. Curve Finance issued a warning:
This pool might be at risk of being exploited. While security researchers have not identified a profitable exploit, we recommend exiting this pool. https://twitter.com/CurveFinance/status/1685925429041917952
According to Vyper, its 0.2.15, 0.2.16, and 0.3.0 versions contained issues making some smart contracts vulnerable to re-entrancy attacks, in which attackers can trick the contracts into incorrectly calculating balances, allowing them to steal funds held by the contractsβ protocols. For details of the hack, please check: <https://www.chainalysis.com/blog/curve-finance-liquidity-pool-hack/>
The TriPool uses Vyper version 0.2.15: <https://arbiscan.io/address/0x960ea3e3c7fb317332d990873d354e18d7645590>
Using the adapter for transactions in this pool may lead to a loss of user funds, as it permits adding liquidity to the potentially vulnerable pool.
Manual
Do not integrate Ocean into this particular TriCrypto pool on Arbitrum due to the highlighted security concerns.
Context
The text was updated successfully, but these errors were encountered:
All reactions