- Curve Finance loses $24 million to a reentrancy exploit on its programming language, leaving affiliated projects with losses and others potentially affected.
- The total value of assets held on Curve has plummeted to a little over half its initial value, spelling a potential disaster for the DeFi exchange.
Curve Finance Token Takes a Hit from DeFi Exploit
Curve Finance, a stablecoin exchange on Ethereum, took a hit on Sunday after it suffered an exploit that placed the project at risk of losing around $100 million. According to a tweet from the project, several stablepools using Vyper 0.2.15-0.3.0, the programming language that powers the Curve system, have been exploited due to a malfunctioning reentrancy lock. The vulnerability enabled attackers to manipulate the pool balances and withdraw more funds than they had deposited.
What is Curve Finance?
Curve Finance is an automated market maker (AMM) platform that enables users to trade stablecoins and other low-volatility tokens and provide liquidity. Curve seeks to provide liquidity providers with low slippage, high capital efficiency, and attractive yields. Curve has a governance token called CRV that can be staked or used to vote on protocol decisions. The platform uses smart contracts to offer financial services to traders to swap, lend and borrow stablecoins. The DeFi platform has also begun supporting non-stablecoin trading since expanding from Ethereum to other layer 1 and 2 blockchains.
Reentrancy, the exploit launched, is a type of smart contract vulnerability that enables an attacker to execute a function multiple times before the prior call has been completed. This can result in unanticipated and potentially harmful behavior, such as the theft of funds or unauthorized data access. Based on its website, the Curve exchange controls 232 different pools, but only pools utilizing Vyper versions 0.2.15, 0.2.16, and 0.3.0 were vulnerable.
“As a result of an issue in Vyper compiler in versions 0.2.15-0.3.0, the following pools were hacked: crv/eth, aleth/eth, mseth/eth, peth/eth,” the exchange tweeted on Monday. While they stated that other pools were safe from the exploit, depositors on the abitrum’s tricrypto were advised to exit the pool as it posed some risk.
Curve Finance Total Losses Estimated at $24 to $42 Million
A report from Coinmarketcap estimates the amount stolen to be over $24 million, with projects like Conic Finance, Metronome, and JPEG’d incurring losses worth up to $11 million. Tarun Chitra, founder, and CEO of Gauntlet, pointed out that almost $20 million worth of CRV and a variant of Ether were stolen. At the same time, blockchain detective BlockSec estimated that by that time, more than $40 million would have been lost due to the protocol breach.
The exchange’s native token, CRV, has dropped by over 19% in the past 24 hours after facing backlash from users on the supposed portrayal of Vyper as a safer alternative to Solidity. The theft impacted trading markets for Curve DAO’s native CRV token, down 17% to $0.61.
On Monday, the total value of assets held on Curve plummeted from over $3 billion on Sunday to $1.7 billion. Meanwhile, Aave, the lending and borrowing protocol, disabled its CRV borrowing function. If CRV prices continue to rise and reach the liquidation threshold, the protocols will be compelled to liquidate the CRV positions.
