Arbitrage Bot Exploited for $2.3M in Flash Loan Cyberattack on Curve Pool

by Nik Asti

Published: November 08, 2023 at 12:37 am Updated: November 08, 2023 at 12:37 am

by Victor Dey

Edited and fact-checked:
November 08, 2023 at 12:37 am

To improve your local-language experience, sometimes we employ an auto-translation plugin. Please note auto-translation may not be accurate, so read original article for precise information.

In Brief

An attacker exploited an arbitration bot to siphon off $2.3 million by manipulating the Curve finance pool with a flash loan.

In a recent sophisticated cyberattack, an exploiter drained $2.3 million from an arbitration bot. The attack involved a flash loan and subsequent price manipulation within the Curve finance pool.

The incident unfolded when the attacker identified an exposed function within the bot’s code that allowed the conversion of Ethereum to Bitcoin. By taking out a massive flash loan of 27,255 WETH, valued at approximately $51.36 million, the attacker was able to significantly skew the WETH/WBTC price ratio in the Curve pool.

The attacker’s manipulation of the price ratios in the Curve pool deliberately led to a distorted market. Consequently, this forced the arbitrage bot into an unfavorable trade, exchanging 1339.8 WETH for just 6.95 WBTC, inflicting a significant financial blow to the bot’s operators.

The cyberattack transaction clearing the funds from the arbitration bot can be tracked on Etherscan, revealing the specifics of the strategy that led to the bot’s downfall. The affected bot’s address is publicly viewable, providing a transparent ledger of the financial activity leading up to the exploit.

Looks like an arb bot contract got rekt for $2m

Had an open function to sell weth for wbtc and blackhat found it and moved the price of the pool to drain the arb bot contract. pic.twitter.com/BNRJUHrmAX

— Spreek (@spreekaway) November 7, 2023

Twitter user spreekaway actively highlighted the event, summarizing the significant exploit that impacted the arbitration bot. The social media post shed light on a critical vulnerability within the bot’s code. An attacker exploited this flaw, showcasing the persistent dangers in automated cryptocurrency trading strategies.

This incident sharply highlights the inherent risks in the DeFi space. The complexity of smart contracts can occasionally open up unforeseen opportunities for exploitation. The persistence of these exploits underscores the critical necessity for thorough smart contract audits. It also calls for robust security implementations across the decentralized finance ecosystem.

Nik is an accomplished analyst and writer at Metaverse Post, specializing in delivering cutting-edge insights into the fast-paced world of technology, with a particular emphasis on AI/ML, XR, VR, on-chain analytics, and blockchain development. His articles engage and inform a diverse audience, helping them stay ahead of the technological curve. Possessing a Master’s degree in Economics and Management, Nik has a solid grasp of the nuances of the business world and its intersection with emergent technologies.

More articles

Nik Asti

• 
  
  

Nik is an accomplished analyst and writer at Metaverse Post, specializing in delivering cutting-edge insights into the fast-paced world of technology, with a particular emphasis on AI/ML, XR, VR, on-chain analytics, and blockchain development. His articles engage and inform a diverse audience, helping them stay ahead of the technological curve. Possessing a Master’s degree in Economics and Management, Nik has a solid grasp of the nuances of the business world and its intersection with emergent technologies.

• 
  
  

More articles