Alchemix, a DeFi lending protocol, tweeted that Curve Finance notified Alchemix that due to a vulnerability in Vyper, their alteth/eth pool may be attacked. Alchemix quickly removed AMO-controlled liquidity from the curve pool through the AMO contract.
The exploit was performed on the Curve pool contract. The Alchemix smart contract has not been attacked in any way, and the funds are safe.
Three transactions are required: withdrawal of LP tokens from Convex, withdrawal of alETH from Curve pool, withdrawal of ETH from Curve pool. The first transaction unstaked LP tokens from Convex was executed, and after the second transaction was executed, 8,000 ETH were removed from the curve pool.
There are still about 5,000 ETH liquidity controlled by AMO in the curve pool. In the process of removing the remaining liquidity, the alETH/ETH curve pool was attacked by an attacker. Currently, the alETH reserve has lost about 5,000 ETH.
For users, the funds in the Alchemix vault are safe, and all Alchemix contracts are unaffected. It is not safe to provide liquidity in the alETH/ETH curve pool.
It is technically safe to provide liquidity for alETH elsewhere, but an attacker could use this liquidity to sell alETH in exchange for ETH.
The fair price of alETH is currently unknown, and any user who holds alteth or LPalETH faces this uncertainty.
Alchemix recommends that any LPs that provide liquidity in the decentralized trading platform Saddle Finance’s alETH pool and Curve’s frxETH pool withdraw their liquidity as soon as possible.