Last updated
After the Vyper-Curve Exploit, Coffeebabe.eth utilized the Vyper-based Curve CRV/WETH pool's significant price deviation from the market price and made an arbitrage with a $5.4 million profit.
Step 0: Borrow 100 WETH from Balancer Vault using Flash Loan.
Steps 2-3: Sell 70 WETH on UniswapV3Pool to obtain 190,388 CRV at an average exchange rate of 2719 CRV/WETH.
Steps 4-5: Directly transfer and trigger claim_admin_fees operation by sending 30,000 CRV to the Curve Pool. This operation will update parameters such as pool balance and total supply.
Steps 6-9: Call the exchange method of the Curve Pool to convert and exchange a total of 160,388 CRV for approximately ETH equivalent to be converted back into WETH at an average exchange rate of approximately 54.375 CRV/WETH.
Step 13: Return the borrowed amount of 100WETH through Flash Loan.
Steps 14-16: Convert the remaining 2879WETH into ETH and send it back to the 'from' address.
Step 5, claim_admin_fees operation, is crucial. Due to the exploitation of Vyper-related contracts, there has been a significant deviation between the actual balances of the pool created using Vyper and their internal accounting values. The purpose of claim_admin_fees() is to align the internal accounting amount with the actual balance, similar to Uniswap V2's skim() method
UniswapV3: the largest decentralized exchange (DEX)
Balancer, Curve: other major DEXes
The pentagon "from" is Coffeebabe's EOA address.
The oval "to" is Coffeebabe's contract address.
The solid oval "WETH" is the WETH token's address.
The oval "UniswapV3Pool", "Balancer Vault", and "Curve Pool" are the pool addresses for DEXes.
ETH, WETH, CRV
Step 0: Borrow 100 WETH from Balancer Vault using Flash Loan.
Steps 2-3: Sell 70 WETH on UniswapV3Pool to obtain 190,388 CRV at an average exchange rate of 2719 CRV/WETH.
Step 4: Directly transfer and trigger claim_admin_fees operation by sending 30,000 CRV to the Curve Pool. This operation will update parameters such as pool balance and total supply.
Step 5: Internal operation of Curve.
Steps 6-9: Call the exchange method of the Curve Pool to convert and exchange a total of 160,388 CRV for approximately ETH equivalent to be converted back into WETH at an average exchange rate of approximately 54.375 CRV/WETH.
Step 10: Internal operation of Curve corresponding to steps 6-9.
Steps 11-12: The 'to' transfers ETH to itself for unknown reasons.
Step 13: Return the borrowed amount of 100WETH through Flash Loan.
Steps 14-16: Convert the remaining 2879WETH into ETH and send it back to the 'from' address.
By simulating execution, we find that without executing claim_admin_fees() before calling exchange() for conversion, according to the internal accounting of this contract, 190,388 CRV can only swap for 9.337 ETH at an average price of 20390 CRV/ETH. The valuation of CRV is much lower than what actually occurs in arbitrage trading.
However, after executing claim_admin_fees() before calling exchange(), based on the actual balances of this pool, the exchange rate becomes very favorable for Searcher.In Step 4, directly transferring 30000 CRV to Vyper_contract is a prerequisite for successfully calling claim_admin_fees(). If the value is significantly less than 30000 (e.g., 25000), a rollback will occur during the claiming process.
The arbitrage profit of 2879 ETH ($5,364,863) all flowed into the address c0ffeebabe.eth's pocket, without paying a priority fee or builder tip to the builder, and paid a base fee of approximately $32.3. After nearly two hours, c0ffeebabe.eth transferred the transaction proceeds to Curve.fi: Deployer.
In essence, this arbitrage is not something that anyone can easily do. The white hat understands the intricate operations within smart contracts.
That being said, there are still questions that remain unanswered, such as: why did the "to" address transfer to itself 3 times? And what's the connection between this TX and other large amount arbitrages?
White Hat, Arbitrage, Price Manipulation
