This article is more than nine months old

ChainLight says ‘simple mistake’ derailed attempt to stop Curve hack

ChainLight says ‘simple mistake’ derailed attempt to stop Curve hack
A security firm tried to help Curve as it was being drained, but almost cost the protocol $5.4 million instead.
  • A security firm says it made a 'simple mistake' while it was attempting to protect Curve from hackers last month.
  • The mistake could have cost Curve $5.4 million to the hackers.
  • But an automated trading bot swooped in and claimed the money instead, and later returned it.

A blockchain security firm bungled an attempt to out-hack attackers who syphoned more than $50 million from Curve last month, an incident that highlights the peril — and promise — of the blockchain’s public nature.

On July 30, hackers drained four liquidity pools on Curve — places where users can swap one token for another.

Working on behalf of Curve, security firm ChainLight attempted to hack the protocol’s CRV/ETH liquidity pool before hackers could steal the remaining $5 million — money leftover after an initial $20 million hack of the pool.

But it didn’t go as planned. ChainLight broadcast its hack, which automated trading bots immediately tried to front-run. One of them did so successfully: a bot known as c0ffeebabe.eth, which later returned the $5.4 million.

In a blog post published Tuesday, ChainLight said it had meant to use Flashbots, a service that hides pending transactions from the automated trading bots, which trawl the queue in search of lucrative opportunities to front-run others.

But a researcher at the firm botched the process, and the attempted hack was not routed through Flashbots.

“While it was a minor mistake, it could have resulted in a significant loss of assets. At this point, the researcher had already lost the first race to an attacker, and felt that time was of the essence,” ChainLight wrote, referring to the initial CRV/ETH hack.

“With the combination of a time crunch and high stakes situation, a simple mistake was made that could have been avoided.”

Join the community to get our latest stories and updates

ChainLight did not return a request for comment.

It wasn’t the only mistake made at the time: security firm BlockSec came under fire for sharing details about the exploit as it was happening, a move that could have helped the hackers, according to critics.

NOW READ: ‘Most attackers are sloppy’: critics slam decision to live-tweet Curve exploit

BlockSec said it had attempted to contact Curve, to no avail. Industry security experts have since released a hotline for researchers who identify vulnerabilities before they’re widely known.

Technical investigation

During its technical investigation, ChainLight unravelled a series of steps that played a role in the issue.

The whitehat operation began by setting up how their software communicates with the blockchain for testing purposes. This chosen method of communication was specified within a file named foundry.toml. During testing, the software operated based on the method outlined in that file.

To conduct specific testing, ChainLight relied on a tool named anvil, akin to a digital assistant that helps with certain tasks. A ChainLight researcher adjusted anvil to match the instructions in foundry.toml.

Later, when they aimed to move forward with deployment using Flashbots, they updated the instructions in foundry.toml to align with this process. But a complication arose when a command they used missed the specific instructions in foundry.toml.

That misstep resulted in an unintended method being chosen, which ultimately led the transaction to utilise a public communication channel rather than the intended Flashbots pathway.

In addition to c0ffeebabe.eth, at least one other copycat tried to deploy the same contact, but failed to execute it in time to successfully exploit the liquidity pool.


The series of lightning-fast transactions puts a spotlight on the open nature of blockchain technology — a public ledger viewable to anyone — and the DeFi protocols built on top. That includes the automated trading bots.

In another recent hack, one hacker was front-run by another.

A hacker who attempted to exploit DeFi protocol Conic Finance on July 21 had their malicious smart contract copied by another hacker, who paid a higher transaction fee in order to get priority, according to Nikita Kirillov, a security researcher at crypto security firm Pessimistic.

NOW READ: Conic Finance suffers $3m exploit in twist to ‘typical re-entrancy attack’

“It is usually automatic,” Kirillov told DL News at the time. “A user (or a hacker) finds some profitable interactions on the blockchain, MEV bots see their transactions in the meme pool, copy-paste the transactions but with higher gas values to be executed first, profit.”

Indeed, hackers are often front-run not by other copy-paste hackers but by MEV bots, the automated trading bots that search for arbitrage opportunities.

C0ffeebabe.eth has front-run several hacks and often returned the money, according to blockchain observers.

A template titled “Whitehats Kit,” authored by Emiliano Bonassi, the former head of research at bug bounty platform ImmuneFi, would limit mistakes like the one ChainLight made, the firm said in its blog post.

“For ChainLight, we saw a simple mistake by one of our researchers put thousands of Ether at risk. We also saw that time is a scarce resource during these operations,” it said.

“We are determined to learn from this and put into place procedures for conducting a whitehat operation. By testing these procedures before the need arises, we will be able to respond more quickly and more professionally.”

Aleks Gilbert is a New York-based DeFi correspondent for DL News, email him with tips at