The decentralized finance (DeFi) ecosystem has been severely shaken by the exploitation of the Curve Finance stablecoin lending platform. Various impacted protocols have experienced a tanking in total value locked, and the fallout is impacting areas far and wide.
A reentrancy attack caused an exploit on Curve Finance for upwards of $50 million on July 30. The exploit was across several stable pools running older versions of the Vyper smart contract programming language.
Curve Finance Exploit Causes DeFi Fallout
Curve Finance alerted its users that a number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 “have been exploited as a result of a malfunctioning reentrancy lock.” It added that its crvUSD stablecoin pools were not affected.
According to the Vyper official documentation, the recommended install is actually the faulty version. A bug in the smart contract language layer affects almost all protocols using Vyper.
Malicious actors are using reentrancy attacks to repeatedly re-enter a contract, resulting in unauthorized actions or fund theft.
On July 31, blockchain security and auditing firm PeckShield reported that losses so far amounted to $52 million. Moreover, in addition to Curve, several protocols were impacted, including Alchemix, JPEG’d, Metronome, deBridge, and Ellipsis.
Aave Ethereum v2 version had also disabled its CRV borrowing function amid the panic. There is currently a $100 million CRV debt from protocol founder Michael Egorov teetering on liquidation. If CRV prices continue to rise and reach the liquidation threshold, the protocols will have to liquidate the CRV positions.
Find out How To Choose a Cryptocurrency Lending Platform
Some estimates have put the losses as high as $70 million. However, some of these funds are in the custody of whitehats and MEV bots and are potentially recoverable.
One such white hat with the address ‘c0ffeebabe.eth’ has already returned 2,879 ETH worth around $5.4 million to the Curve deployer address.
Total Value Locked Tanking
TVL across the entire DeFi ecosystem has tanked $2.3 billion since the exploit. As a result, ecosystem value locked is currently at $41.5 billion and still falling.
The majority of this decline is from Curve Finance which has seen a TVL drop of 44% to $1.8 billion at the time of writing.
CRV prices are also in trouble, with a 16% slump on the day to trade at $0.623. Furthermore, CRV has lost 23% over the past fortnight and remains down a whopping 96% from its all-time high.
Despite the brutal CRV selloff, the hackers still have the proceeds, reported bankless. “Failure of recovery will result in the sale of CRV, which could have serious implications for lending protocols,” it added.