MEV bot in Curve Finance pool lost $2m following hack
The arbitrage bot was hacked and lost about $2 million in one of the pools of the Curve Finance platform.
This was first reported by a user under the pseudonym Spreek. He suggested that the hack occurred due to the 0xf6ebebbb() function.
This was confirmed by Beosin. According to them, the attacker took advantage of the fact that it was available without authorization to force a swap between pools.
He then issued an instant loan for 27,255 WETH (more than $51 million), changed the price balance in the WETH/WBTC pool, and conducted an arbitrage transaction through a bot.
The hacker exchanged 1339.8 WETH for 6.95 WBTC at the new rate. He then repaid the loan. The damage from his operations reached about $2 million.
Previously, an unknown liquidity provider lost more than $700,000 due to the actions of the MEV bot. User (0x568) created a WBTC-CRV liquidity pool on the Uniswap v3 platform. He then deposited $1.56 million worth of wrapped bitcoins into it. When setting up, he mixed up the CRV rate. The user set $1 instead of $0.5.
