- Fallout from a $61 million hack of decentralised exchange Curve threatened to upend crypto markets.
- Critics said security firm BlockSec made matters worse when it shared what it knew about the hack as it was happening.
- BlockSec’s CEO defended his firm, and said it was just trying to warn users whose money was at risk.
As Curve raced to fend off a weekend hack whose fallout has threatened to upend crypto markets, one security firm did more harm than good, according to founder Michael Egorov.
That firm, BlockSec, said it discovered the vulnerability just hours before the hack and used “trusted channels” to warn Curve. When hackers pounced, BlockSec took to Twitter — now known as X — to share what it knew about the software vulnerability.
The post was meant to sound the alarm for unwary Curve users, the firm says. But critics, including Egorov, slammed the decision.
“We have multiple very well-known communication channels,” Egorov told DL News. “Giving up and writing publicly is … very bad.”
On Sunday, hackers stole more than $61 million from Curve, which is the second-largest decentralised exchange by users’ crypto deposits.
The hack has hammered the price of Curve’s governance token, CRV. That, in turn, has threatened decentralised finance writ large: Egorov had used CRV worth hundreds of millions of dollars as collateral when taking out loans from other DeFi protocols. The token’s drop has forced Egorov to scramble to repay some of his loans in order to avoid automatic liquidation.
In an earlier statement to DL News, Egorov said he thinks he’s succeeded, though he declined to share much else about the deals he struck in order to repay the loans.
In a statement for this story, Egorov said he didn’t recall communication from BlockSec prior to the hack, which exploited a vulnerability in Vyper, the programming language in which Curve was written.
‘DM us if you need any help’
On Sunday afternoon UTC, hackers drained three liquidity pools on Curve. About four hours after the first exploit, BlockSec said it discovered the much larger CRV/ETH liquidity pool was vulnerable to the same exploit. Two hours later, hackers struck.
BlockSec said it discovered the vulnerability about two hours before it was exploited. Because the firm was unable to directly message Curve on Twitter, it tried to contact the exchange’s developers through a “trusted party” — to no avail.
The offending post, published less than an hour after hackers began draining the exchange, included screenshots of the vulnerable code and an offer to Curve: “Please DM us if you need any help.”
It set off a firestorm.
Critics accused BlockSec of helping other, less capable hackers find and exploit the vulnerability as friendly hackers, known as white hats, were trying to spirit some of the remaining money to safety.
“There is a very well established security vulnerability disclosure path in the security industry,” Lefteris Karapetsas, founder of Rotkiapp and a longtime Ethereum developer, told DL News. “But many firms in this field do not follow it. Why, I can’t say.”
NOW READ: Conic on its $4m loss in hacks: We ‘don’t blame the auditors’
Yajin Zhou, a co-founder of BlockSec, defended his firm, citing the public nature of blockchains.
“Disclosing the transaction will NOT worsen the situation since the attack transaction is PUBLIC to everyone,” Zhou told DL News. “Many hackers monitor the transactions on the chain and take copycat action even if we pretend the attack did not happen and did not post it to warn the community.”
Disclosing the details of the exploit was intended to help Curve users, he added.
“We think the users have the right to know what’s happening and withdraw their assets if possible. It’s not fair to them to just wait in the blind and be drained.”
A ‘very questionable topic’
The issue is particularly urgent in an industry desperate to dispel the notion it is a dangerous place to park one’s money.
Half a billion dollars have been stolen from DeFi protocols so far this year, according to DefiLlama data.
“The extent to which the security experts should publicly disclose their findings is a very questionable topic,” Omar Ganiev, CEO of crypto security firm Decurity, told DL News. “We won’t be judging any of the sides here because we can only speculate: it is not known that any of the attacks happened because of the public disclosures.”
Some hacks can take years to research and execute, according to Ganiev. Indeed, Vyper contributor and ApeWorX founder Bryant Eisenbach said that Sunday’s hacker exploited a vulnerability that likely took “weeks or months to find.”
“There’s no knowledge you could possibly get in a few minutes or hours that they couldn’t have already figured out, and it’s even less probable that they sit scrolling Twitter feed and searching for the clues there instead of actually doing their own research,” Ganiev said.
And tweeting about the vulnerability gives users the opportunity to get out before it’s too late, according to Ganiev.
“Silencing the vulnerabilities during such a mess puts them at risk,” he said.
Nevertheless, once a hacker pounces, it sets off a race between the hacker, copycat villains, developers at the target protocol, and benevolent hackers who might attempt to squirrel the money away for safekeeping.
“In practice, most attackers are sloppy and rush acting, and so giving them even slightest tips might save them a minute and also give heads up for the new attackers who join the party, while the white hats and project owners can be at disadvantage here,” Ganiev said.
NOW READ: Crypto’s open-source culture risks projects shutting down — here’s a solution
Others were less judicious.
“Publicly highlighting attack vector was a bad action with marketing intentions only,” Dyma Budorin, CEO of Hacken, a competing smart contract auditing firm, told DL News. “Such action doesn’t help regular users at all, because they are not that technical.”
In any case, Curve had already sounded the alarm, according to Karapetsas.
“Users were given ample warning to flee from all the affected pools long before BlockSec had tweeted,” he said.
Security standards
Hugh Brooks, director of security operations at CertiK, said that standards for responding to an ongoing exploit already exist.
Resources include the Open Web Application Security Project and guidelines published by government agencies such as the United States’ Cybersecurity and Infrastructure Security Agency.
A vulnerability shouldn’t be shared publicly before exhausting every avenue of notifying the protocol’s developers, according to Brooks.
“The desire to raise the alarm as loudly as possible is an understandable one in the circumstance, but the best practices outlined above are battle-tested and exist for a reason,” he said.
“It’s crucial to avoid a scenario where attackers have the same intel as defenders. By publicly broadcasting a live exploit, there’s a risk of creating an environment where all parties, both good and bad, have equal information.”
Zhou finds existing standards lacking.
“Because of the openness of blockchain, there should be a new procedure for handling an ongoing attack,” he said. “The community should be warned if an attack is in the wild.”
Disclaimer: The two co-founders of DL News were previously core contributors to the Curve protocol.
Update, August 2: The story was amended to clarify that the vulnerability Blocksec discovered was specifically related to the CRV/ETH liquidity pool, and that other pools had been exploited prior to its discovery. The statement that Curve developers were rushing to patch it was removed.