How an Ethereum Bot Used Uniswap to Save $5.4 Million From Curve Exploit

As crypto’s decentralized finance ecosystem quaked on Sunday amid $52 million stolen from Curve Finance, one buying and selling bot jumped into the fray. Its mission: copy the attackers-at-large, safe thousands and thousands of {dollars} in crypto earlier than it’s gone, after which give all of it again in an obvious white-hat intervention.

A problem with the programming language Vyper, used for writing good contracts on the Ethereum blockchain, supplied a window of alternative for exploits involving liquidity swimming pools on Curve Finance, one in every of DeFi’s go-to exchanges.

On the time of writing, Curve has $1.6 billion in whole worth locked, down 42% over the previous day, but nonetheless a major slice of Ethereum’s $23-billion DeFi panorama, in keeping with DefiLlama.

Attackers manipulated the value of tokens in a number of liquidity swimming pools, the place one token might be exchanged for one more. Latest stories from the blockchain safety agency PeckShield estimate that $52 million has been misplaced. However the attackers did not get away with your complete stash.

Somebody used the exploit in Curve’s CRV-ETH liquidity pool—the place Ethereum might be swapped for the alternate’s governance token, Curve DAO (CRV)—to, in a way, exploit the exploiters. The transaction value about $32 value of crypto in transaction charges however yielded 2,879 Ethereum—a revenue of round $5.4 million.

The 2,879 Ethereum was in the end returned to Curve by a bot bearing the title “c0ffeebabe.eth,” in keeping with Etherscan. Ethereum addresses are an extended string of alphanumeric characters by default, however the bot’s proprietor gave it a human-readable title utilizing the Ethereum Title Service. PeckShield additionally attributes the bot with having nabbed one other $1.6 million from artificial asset protocol Metronome, nevertheless it’s but unclear if these funds have been additionally returned. PeckShield didn’t instantly reply to Decrypt’s request for clarification.

The bot’s motion was a profitable, split-second arbitrage play, involving flash loans and the decentralized alternate Uniswap, Yixin Cao, lead knowledge scientist on the DeFi evaluation platform EigenPhi informed Decrypt.

“Not loads of actors can do the sort of factor,” she stated. “There are loads of subtle attackers on the market, however this type of arbitrage requires very in-depth information.”

Uniswap and Balancer

EigenPhi’s breakdown of the transaction outlines 16 distinct steps taken by the bot—however the play hinged on two distinct DeFi tasks.

C0ffeebabe.eth’s split-second commerce first tapped Balancer, a liquidity protocol, for a flash mortgage of 100 Ethereum. Flash loans are uncollateralized and require debtors to pay them again throughout the similar transaction.

Then, Uniswap was important, Cao stated, as a result of it allowed c0ffeebabe.eth to capitalize on the discrepancy between CRV’s worth on Uniswap and Curve it deliberate to create by utilizing the Vyper bug. The bot swapped 70 Ethereum for over 190,000 CRV utilizing Uniswap.

An preliminary burst of 30,000 CRV directed at Curve’s CRV-ETH pool brought about the Vyper bug to throw it out of steadiness. The pool’s unbalanced state allowed c0ffeebabe.eth to alternate its remaining CRV for two,949 Ethereum—317 instances what it might have in any other case been in a position to get with out the exploit.

After the flash mortgage was repaid, that left c0ffeebabe.eth with a large revenue.

The Vyper exploit turned what would’ve been a small play into an enormous one, Cao stated. With out leveraging the vulnerability, c0ffeebabe.eth would’ve walked away with solely 9.3 Ethereum based mostly on a simulation performed by EigenPhi.

On-chain Hope

Not lengthy after the deed was completed, c0ffeebabe.eth broadcast a message utilizing Inner Information Messages (IDM), which permits messages to be despatched on Ethereum’s blockchain. 

“Transferring funds to chilly pockets for now, affected protocols can contact by way of etherscan chat,” the particular person behind the bot stated on-chain, signaling they’d maintain the stolen funds in a digital pockets securely that has non-public keys remoted from the web. 

“Deployer from Curve,” one Ethereum account responded on-chain, figuring out itself as a part of the Curve workforce. “One tx you front-ran was a hack of CRV/ETH pool. Can refund?”

A number of blockchain safety consultants informed Decrypt that c0ffeebabe.eth’s commerce didn’t look like an instance of front-running. Regardless, the bot ultimately parted with what would’ve been its greatest payday ever.

Previous to Sunday, c0ffeebabe.eth had amassed round $29,000 in revenue throughout totally different arbitrage transactions, in keeping with EigenPhi’s account profiler. Although Sunday’s takeaway overshadowed the bot’s efficiency to this point, it didn’t forestall c0ffeebabe.eth from fulfilling its selfless, white-hat service.