On July 30, Curve Finance, a prominent stablecoin lending protocol, experienced a significant exploit on several stable pools. The exploit was traced back to vulnerabilities in specific versions of the Vyper compiler, a smart contract programming language for the Ethereum Virtual Machine (EVM), Cryptopolitan reported.
However, the affected versions were 0.2.15, 0.2.16, and 0.3.0. The exploit mechanism, known as “malfunctioning reentrancy locks,” allowed the attacker to bypass the intended safeguards and drain funds from the targeted contracts.
According to Curve Finance CEO Michael Egorov in a Telegram channel, the swap pool has been drained of 32 million CRV tokens, which are worth over $22 million. However, experts estimate that the total loss could be more than $40 million.
Impact on DeFi ecosystem and Curve Finance
The exploit significantly impacted the DeFi ecosystem, with several projects reporting substantial financial losses. These include decentralized exchange Ellipsis, Alchemix’s alETH-ETH pool, JPEGd’s pETH-ETH pool, and Metronome’s sETH-ETH pool. The total losses were estimated to be upwards of $24 million. The incident triggered a wave of panic across the DeFi ecosystem, prompting a flurry of transactions across various pools. In response to the news, Curve Finance’s native token, CRV, experienced a decline of over 5%.
Hacker returns some funds, and future measures
In a surprising turn, the exploiter returned some of the stolen funds to the protocol. PeckShield, a blockchain security company, reported that the Curve exploiter had returned 2,879 ETH, worth around $5.4 million, to the protocol deployer address. The incident underscores the importance of robust security measures in DeFi protocols. As the investigation progresses and more updates unfold concerning the hack, developers are expected to work closely with the Vyper team to address the vulnerabilities and prevent future exploits.
It is important to know that this is not the first time Curve Finance has been a target of attack. Its Conic Finance omnipool was exploited last week, resulting in a loss of $3.6 million in Ethereum due to a reentrancy attack.
Additionally, Curve Finance’s total value locked has decreased by 43% since the exploit, dropping from $3.26 billion to $1.87 billion, as reported by DeFiLlama. At the time of press, the CRV token is down by 12%, and trading at $0.645336.
From Zero to Web3 Pro: Your 90-Day Career Launch Plan