Massive Security Breach Plagues Curve Finance: Exploit Costs $47 Million

CryptoMode Loan Documents Coinbase Borrow Curve CRV Curve Finance

On July 30, the DeFi sector faced a jolting revelation. Curve Finance, a predominant name in the industry, reported a severe exploit. The breach originated from various stable pools, all powered by Vyper, resulting in a significant loss of over $47 million. Investigations revealed vulnerabilities in the 0.2.15, 0.2.16, and 0.3.0 versions of Vyper that led to the mishap.

The Unexpected Vulnerability Is Catastrophic for Curve Finance

According to reports, malfunctioning reentrancy locks in these Vyper versions triggered the exploit. Vyper made this fact public, urging projects dependent on these versions to get in touch for damage control. Ancilia, a renowned security firm, shared a detailed analysis of the situation. The firm revealed that 136 contracts with reentrant protection used Vyper 0.2.15. Meanwhile, 98 contracts were associated with Vyper 0.2.16, and 226 utilized Vyper 0.3.0.

The crux of the problem resided within the Vyper compiler. Specific versions failed to implement the reentrancy guard properly. This component is essential to prevent the simultaneous execution of multiple functions, thereby securing a contract. Failure to implement this guard opens up the possibility of reentrancy attacks that can drain all funds from a contract. It proved to be the unfortunate fate for Curve Finance.

The Genesis of Vyper

Check out our weekly crypto and fintech newsletter here! Follow CryptoMode on Twitter, Youtube and TikTok for news updates!

Vyper is not an obscure name within the crypto universe. It’s an eminent contract-oriented programming language that targets the Ethereum Virtual Machine (EVM). Its uncanny resemblance to Python renders it an ideal stepping stone for Python developers venturing into the Web3 realm.

The impact of the exploit wasn’t confined to Curve Finance. The shockwave reverberated through several decentralized finance projects. Ellipsis, a decentralized exchange, reported an exploit on several of its BNB stable pools owing to an outdated Vyper compiler.

Other significant losses included Alchemix’s alETH-ETH pool witnessing a $13.6 million outflow, JPEGd’s pETH-ETH pool losing $11.4 million, and Metronome’s sETH-ETH pool being reduced by $1.6 million. Adding salt to the wound, Michael Egorov, Curve Finance CEO, confirmed a loss of 32 million CRV tokens. This amounted to over $22 million drained from the swap pool.

DeFi Ecosystem in Turmoil

The ripple effects of the exploit didn’t stop there. The breach induced panic throughout the DeFi ecosystem, spurring a surge of transactions across pools. Simultaneously, it kickstarted a rescue mission by white hats.

This unfortunate event is not an isolated incident for Curve Finance. The protocol, famed for enabling the decentralized exchange of stablecoins on Ethereum, has been a recurring target.

Just days prior, Conic Finance, another extension of the Curve ecosystem, fell victim to a $3.26 million exploit in Ether. The stolen amount was swiftly transferred to a new Ethereum address in a single transaction.

None of the information on this website is investment or financial advice. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website.