TechFlow news: DeFi lending protocol Alchemix tweeted that Curve Finance has notified Alchemix their alETH/ETH pool may have been attacked due to a vulnerability in Vyper. Alchemix promptly removed liquidity controlled by the AMO from the Curve pool via the AMO contract. The exploit occurred on the Curve pool contract; Alchemix's smart contracts were not compromised and funds remain secure.
This process required three transactions: withdrawing LP tokens from Convex, withdrawing alETH from the Curve pool, and withdrawing ETH from the Curve pool. The first transaction—unstaking LP tokens from Convex—has been completed. After executing the second transaction, 8,000 ETH were removed from the Curve pool. Approximately 5,000 ETH of AMO-controlled liquidity remained in the Curve pool. During the removal of the remaining liquidity, the alETH/ETH Curve pool was attacked. Currently, about 5,000 ETH worth of alETH reserves have been lost.
For users, funds in the Alchemix treasury are safe, and all Alchemix contracts are unaffected. However, providing liquidity in the alETH/ETH Curve pool is unsafe. Providing liquidity for alETH elsewhere is technically safe, but attackers may exploit such liquidity to sell alETH for ETH. The fair market price of alETH is currently uncertain, exposing any alETH or LP alETH holders to this risk. Alchemix advises LPs providing liquidity in Saddle Finance’s alETH pool and Curve’s frxETH pool to withdraw their liquidity immediately.




