MEV bot in Curve Finance pool lost $2m following hack

The arbitrage bot was hacked and lost about $2 million in one of the pools of the Curve Finance platform.

This was first reported by a user under the pseudonym Spreek. He suggested that the hack occurred due to the 0xf6ebebbb function.

This was confirmed by Beosin. According to them, the attacker took advantage of the fact that it was available without authorization to force a swap between pools.

🚨An unknown MEV bot was hacked for ~$2M. The root cause was that the arbitrage function 0xf6ebebbb did not have authentication, allowing the attacker to call 0xf6ebebbb to force swaps across multiple pools, resulting in high…

— Beosin Alert (@BeosinAlert)

He then issued an instant loan for 27,255 WETH (more than $51 million), changed the price balance in the WETH/WBTC pool, and conducted an arbitrage transaction through a bot.

The hacker exchanged 1339.8 WETH for 6.95 WBTC at the new rate. He then repaid the loan. The damage from his operations reached about $2 million.

Previously, an unknown liquidity provider lost more than $700,000 due to the actions of the MEV bot. User (0x568) created a WBTC-CRV liquidity pool on the Uniswap v3 platform. He then deposited $1.56 million worth of wrapped bitcoins into it. When setting up, he mixed up the CRV rate. The user set $1 instead of $0.5.

Read More

2023-11-08 17:15