MEV bot in Curve Finance pool lost $2m following hack

By Anna Kharton

November 8, 2023 at 2:13 pm

Edited by Yana Khlebnikova

News

MEV bot in Curve Finance pool lost $2m following hack

Collect the article

The arbitrage bot was hacked and lost about $2 million in one of the pools of the Curve Finance platform.

This was first reported by a user under the pseudonym Spreek. He suggested that the hack occurred due to the 0xf6ebebbb() function.

This was confirmed by Beosin. According to them, the attacker took advantage of the fact that it was available without authorization to force a swap between pools.

🚨An unknown MEV bot was hacked for ~$2M. https://t.co/HC2QYEfGZ7

The root cause was that the arbitrage function 0xf6ebebbb() did not have authentication, allowing the attacker to call 0xf6ebebbb() to force swaps across multiple https://t.co/m0tYfbwWqY pools, resulting in high… pic.twitter.com/2Xah6j57ed
— Beosin Alert (@BeosinAlert) November 8, 2023

He then issued an instant loan for 27,255 WETH (more than $51 million), changed the price balance in the WETH/WBTC pool, and conducted an arbitrage transaction through a bot.

The hacker exchanged 1339.8 WETH for 6.95 WBTC at the new rate. He then repaid the loan. The damage from his operations reached about $2 million.

Previously, an unknown liquidity provider lost more than $700,000 due to the actions of the MEV bot. User (0x568) created a WBTC-CRV liquidity pool on the Uniswap v3 platform. He then deposited $1.56 million worth of wrapped bitcoins into it. When setting up, he mixed up the CRV rate. The user set $1 instead of $0.5.