July 31, 2023

The Aftermath of the Curve Finance Hack

Published: July 31, 2023 at 2:14 am Updated: July 31, 2023 at 2:37 am

Edited and fact-checked: July 31, 2023 at 2:14 am

The decentralized finance (DeFi) industry has faced another significant setback. Curve Finance, a prominent DeFi protocol, was exploited on July 30, leading to losses surpassing $47 million. This incident was a consequence of a reentrancy vulnerability in the Vyper versions 0.2.15, 0.2.16, and 0.3.0 that several stable pools on Curve Finance were using.

The Vulnerability

The primary cause of the exploit was a malfunction in the reentrancy locks of specific versions of Vyper, a contract-oriented, pythonic programming language that targets the Ethereum Virtual Machine (EVM). This programming language is a preferred choice for Python developers transitioning into Web3 due to its similarity to Python.

The initial investigation reveals that these Vyper compiler versions do not implement the reentrancy guard correctly. Reentrancy attacks occur when a contract is locked, preventing multiple functions from being executed concurrently. If not implemented correctly, this can potentially drain all funds from a contract. Ancilia, a security firm, has identified 136 contracts using Vyper 0.2.15, 98 contracts using Vyper 0.2.16, and 226 contracts using Vyper 0.3.0 with reentrancy protection.

Curve Hack

Several DeFi projects were affected by this exploit, leading to significant outflows. For instance, Ellipsis, a decentralized exchange, reported that a few stable pools with BNB were exploited using an old Vyper compiler. Alchemix’s alETH-ETH saw an outflow of $13.6 million. JPEGd’s pETH-ETH pool was exploited for $11.4 million, and Metronome’s sETH-ETH pool lost $1.6 million.

A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.

Other pools are safe. https://t.co/eWy2d3cDDj
— Curve Finance (@CurveFinance) July 30, 2023

Following these attacks, Michael Egorov, the CEO of Curve Finance, confirmed that over 32 million CRV tokens worth more than $22 million had been drained from the swap pool. This confirmation came in the wake of a panic across the DeFi ecosystem, leading to numerous transactions across pools and a rescue operation by white hats.

CoinMarketCap data shows that Curve Finance’s utility token Curve DAO (CRV) declined over 5% in reaction to the news. The liquidity of CRV has decreased significantly in recent months, making it prone to violent price swings.

Despite the significant damage, Curve Finance assured that crvUSD contracts and any pools associated with it were not affected by the exploit. In the aftermath of the hack, Curve Finance confirmed the incident and admitted that they couldn’t secure the pool in time. A single transaction visible on the Etherscan confirmed the exploit.

Transaction on Etherscan

Context

This exploit comes as the latest in a series of incidents targeting Curve Finance. Only a few days earlier, an attacker exploited the omnipool platform of Conic Finance, making off with $3.26 million in Ether (ETH). The perpetrator transferred almost the entire stolen sum to a new Ethereum address in one swift transaction.

We are currently investigating an exploit involving the ETH Omnipool and will share updates as soon as they are available.
— Conic Finance (@ConicFinance) July 21, 2023

The Curve Finance hack is a part of a broader pattern of attacks on DeFi protocols. According to a report from the Web3 portfolio app, De.Fi, DeFi hacks and scams accounted for over $204 million in losses in just the second quarter of 2023.

Repayment & Return

As a result of the incident, the Curve founder acted promptly and repaid 4.63M USDT and deposited 16M CRV (equivalent to $10.12M) on Aave. Currently, he has a collateral of 293M CRV (valued at $181M) and a debt of 59.68M USDT on Aave, with a health rate of 1.69.

Aave profile

In an unexpected turn of events, a crypto user named c0ffeebabe.eth returned 2,879 ETH (approximately $5.4m) to the Curve deployer. This event has mitigated some of the loss caused by the hack.

Return Transaction on Etherscan

After #Curve was hacked, the founder of #Curvefi repaid 4.63M $USDT and deposited 16M $CRV ($10.12M) on #Aave.

He currently has 293M $CRV ($181M) of collateral and 59.68M $USDT of debt on #Aave, with a health rate of 1.69.https://t.co/stkFvDrlnv pic.twitter.com/tzYlt9Vmfk
— Lookonchain (@lookonchain) July 31, 2023

The Aftermath

Investigators also identified the hacker’s addresses and the amount of funds exploited in relation to the Curve hack. The total amount exploited so far is around $52M.

Hacker’s Addresses:

0xdce5d6b41c32f578f875efffc0d422c57a75d7d8: 7,259 ETH ($13.5M), related to AlchemixFi
0x6ec21d1868743a44318c3c259a6d4953f9978538

From these events, it’s clear that DeFi protocols, while promising, still have their vulnerabilities. Protocols and users alike should remain vigilant and proactive in implementing and following the best security practices.

Unprecedented Events

It has indeed been a crazy day in crypto. While many crypto enthusiasts were gambling on Base, the Curve hack occurred, leaving 32M CRV tokens in the hands of the hacker. Even more shocking was the potential for a $100M CRV liquidation on Aave at $0.42 USD, although the founder has been making efforts to repay the debt.

Crazy day in crypto.

While degens are gambling on Base, Curve gets hacked with 32M CRV tokens in the hands of the hacker.

What's worse, there's a $100M CRV liquidation on Aave at $0.42 USD, but the founder is currently repaying the debt.

🤞 pic.twitter.com/9s0JSrNYgt
— Ignas | DeFi Research (@DefiIgnas) July 30, 2023

Curve Hack Analysis

As the dust settles on the Curve Finance hack, the full impact on the ecosystem is becoming clear. The attack struck a heavy blow to the DeFi ecosystem, especially impacting the tokens that suffered direct consequences. For instance, several tokens lost over 30% of their value due to the CRV exploit.

The quick response by the Curve founder to repay some of the lost funds and the unexpected return of funds by a third party, along with the ironic twist of the hacker losing the stolen funds, have slightly mitigated the situation. Still, the incident serves as a reminder of the potential vulnerabilities within smart contracts and the wider DeFi space.

It is important for projects within the DeFi space to continually invest in security measures, audit their smart contracts, and create contingency plans for possible exploits. Users must also be vigilant and consider the risk factors when interacting with DeFi platforms.

The Curve Finance hack is a stark reminder that the innovative and high-reward potential of the DeFi sector also comes with significant risk. With the sector’s maturation, the expectation is that developers and organizations will adopt robust security measures as standard practice, thereby precluding the likelihood of such exploits in the future.

Read more:

Tags:

Disclaimer

In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.

About The Author

Nik is an accomplished analyst and writer at Metaverse Post, specializing in delivering cutting-edge insights into the fast-paced world of technology, with a particular emphasis on AI/ML, XR, VR, on-chain analytics, and blockchain development. His articles engage and inform a diverse audience, helping them stay ahead of the technological curve. Possessing a Master's degree in Economics and Management, Nik has a solid grasp of the nuances of the business world and its intersection with emergent technologies.

Nik Asti