Skip to content Skip to footer

$100M still at risk on Curve Finance after exploit drains stable pools

curve finance exploit
An estimated $47 million has already been drained from Curve Finance following a Vyper reentrance vulnerability, but not all stable pools are at risk.

Curve Finance, a prominent stablecoin exchange that supports the Ethereum DeFi system, suffered a major exploit on June 30 following malfunctioning reentrancy locks on some versions of Vyper. Several stable pools were drained, with losses reaching $47 million, according to smart contract auditing firm BlockSec.

$100 million in cryptocurrency could still be at risk due to the bug. 

Vyper is a pythonic programming language designed for writing Ethereum smart contracts. Versions 0.2.15, 0.2.16 and 0.3.0 remain vulnerable to malfunctioning reentrancy locks, according to a Vyper announcement on X. “The investigation is ongoing but any project relying on these versions should immediately reach out to us,” it added.

$73,000 was also lost on the Binance Smart Chain, according to BlockSec.

Curve operates 232 different pools, but not all of them are vulnerable. 

Writing on X, Curve Finance stated that a “number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop. Other pools are safe.”

It clarified: “To be clear – the dangerous combination was the affected Vyper version AND using pure ETH.” 

CrvUSD contracts and any pools with it are unaffected. 

Related: Atomic Wallet still can’t explain what caused hack that led to $100M in losses

Security firm Ancilia, Inc., did a “fast run” on Github and found that approximately 460 contracts were affected by the bug. 136 of these contracts were compiled with Vyper 0.2.15; 98 used version 0.2.16, and 226 used version 0.3.0.

Following news of the exploit, CRV, the Curve DAO token, experienced negative price action, dropping by 18% from $0.734 to $0.599 in a few hours.

At the time of writing, the token is trading at $0.641 (CoinGecko).

Disclaimer: CryptoPlug does not recommend that any cryptocurrency should be bought, sold, or held by you. Do conduct your own due diligence and consult your financial advisor before making any investment decisions.

Leave a comment

Go to Top