On July 30, Curve Finance, a prominent player in the decentralized finance (DeFi) sector, experienced a significant exploit on several of its stable pools. The exploit was traced back to specific versions of the Vyper compiler, a smart contract programming language for the Ethereum Virtual Machine (EVM). The affected versions were 0.2.15, 0.2.16, and 0.3.0. This incident led to losses estimated at $24 million at the time of reporting.
The exploit mechanism, known as “malfunctioning reentrancy locks,” allowed the attacker to bypass the intended safeguards and drain funds from the targeted contracts. The fallout from this incident was significant, affecting several other DeFi projects that relied on Curve’s stable pools. These included decentralized exchange Ellipsis, Alchemix’s alETH-ETH pool, JPEGd’s pETH-ETH pool, and Metronome’s sETH-ETH pool, all of which reported substantial financial losses.
The aftermath and response
In response to the exploit, Vyper, the Python-based smart contract programming language, acknowledged the severity of the situation. They urged all projects relying on the affected versions to reach out immediately. The incident triggered a wave of panic across the DeFi ecosystem, prompting a flurry of transactions across various pools. This led to white hat hackers initiating a rescue operation.
Curve Finance confirmed that the attack did not affect crvUSD contracts and any associated pools. However, the utility token of Curve Finance, CRV, experienced a decline of over 5% in response to the news.
The return of some funds and market reaction
In a surprising turn of events, the hacker returned a portion of the stolen funds. PeckShield, a blockchain security company, reported that the exploiter had returned 2,879 ETH, worth around $5.4 million, to the protocol deployer address. Despite this, the impact on the DeFi ecosystem was significant, with Curve Finance’s total value locked (TVL) dropping 43% since the exploit, falling from $3.26 billion to $1.87 billion.