Curve Finance Suffers $47 Million Exploit Due To Reentrancy Flaw Vulnerability Exposure

Curve Finance falls prey to an exploit causing over $47 million in losses. The vulnerability was traced back to flawed reentrancy locks in several versions of Vyper.

Curve Finance fell victim to an exploit leading to losses exceeding $47 million

Several stable pools on Curve Finance fell victim to an exploit on July 30, leading to losses exceeding $47 million. The culprit, according to the Vyper team, lies in its versions 0.2.15, 0.2.16, and 0.3.0, which have been found to have faulty reentrancy locks.

Active Investigation And Calls For Caution

Vyper, still investigating the issue, urged any project using these versions to get in touch immediately. Security firm Ancilia identified 136 contracts using Vyper 0.2.15, 98 contracts on 0.2.16, and 226 contracts on 0.3.0, all with reentrant protection.

Preliminary investigation findings suggest that the reentrancy guard, which secures contracts from multiple simultaneous executions, was not implemented correctly in certain Vyper compiler versions, thereby making reentrancy attacks feasible. Such attacks can potentially empty a contract of all its funds.

Affected DeFi Projects

Numerous DeFi projects suffered due to the attack. Decentralized exchange Ellipsis reported a minor exploitation of stable pools with BNB, attributing it to an outdated Vyper compiler. Alchemix's alETH-ETH experienced a $13.6 million outflow, while JPEGd's pETH-ETH pool and Metronome's sETH-ETH pool lost $11.4 million and $1.6 million, respectively. Curve Finance's CEO, Michael Egorov, later verified that over $22 million worth of 32 million CRV tokens had been siphoned from the swap pool.

Market Reaction And Aftermath

The exploit triggered a wave of panic throughout the DeFi sector, leading to a flurry of transactions across pools and initiating a rescue operation led by ethical hackers. CoinMarketCap data indicated drop of over 20% in the value of Curve Finance's utility token CRV following the news (at the time of writing). According to Curve Finance, crvUSD contracts and pools containing it were unaffected by the attack.

It's not the first time Curve has been a target for hackers. Conic Finance, its omnipool platform, recently saw a theft of over $3 million in ETH.

Subscribe to our newsletter and follow us on Twitter.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to REX Wire.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.