On July 30, Curve Finance suffered exploits on a number of its stable pools that were using Vyper, which is a smart contract programming language for the Ethereum Virtual Machine (EVM).
Curve alerted its users that alETH, msETH, and pETH stable pools using Vyper 0.2.15 have been exploited “as a result of a malfunctioning reentrancy lock.”
It added that crvUSD contracts and any pools with it were not affected. Curve operates 232 different pools, but only ones using these versions of Vyper were affected.
In addition, crvUSD contracts and any pools with it are also not affected. This is implied in the tweet but still https://t.co/YSRKBVA7Fd
— Curve Finance (@CurveFinance) July 30, 2023
Curve Hacker Returns Some Funds
Curve Finance CEO Michael Egorov said in a Telegram channel that 32 million CRV tokens worth over $22 million had been drained from the swap pool. However, total losses were estimated to be upwards of $40 million.
The incursion has destabilized the DeFi ecosystem, much of which is reliant on Curve’s stable pools. Several DeFi protocols, such as Ellipsis, Alchemix, and Metronome, reported exploited stable pools.
A reentrancy attack occurs when a computing procedure can be interrupted and reentered again before its previous invocations complete execution.
On July 31, PeckShield reported that the Curve exploiter had returned 2,879 ETH worth around $5.4 million to the protocol deployer address.
#PeckShieldAlert c0ffeebabe.eth has returned 2,879 $ETH (~$5.4m) to #Curve deployer https://t.co/33BJLaq12A pic.twitter.com/2Jq0JOsrhV
— PeckShieldAlert (@PeckShieldAlert) July 31, 2023
This story is still developing, and things will become clearer when post-mortems are issued.
Curve has been targeted recently, with its Conic Finance omnipool getting exploited for $3.6 million in Ethereum last week in a similar reentrancy attack.
Furthermore, Curve Finance’s total value locked has tanked 43% since the exploit, falling from $3.26 billion to $1.87 billion, according to DeFiLlama.
CRV Price Crashes
Curve’s native token, CRV, dumped 18% in the hours following the attack. At the time of writing, CRV was trading at $0.621, having lost 15% over the past 24 hours.
The DeFi token has had a rough ride recently, dropping 23% over the past fortnight. As a result, CRV remains down a painful 96% from its August 2020 all-time high of $15.37.
Most of the tokens in the DeFi ecosystem have been hit hard in this bear market and remain down 80-90% from their peak price levels.