Curve Finance reentrancy bug, total loss exceeds $41 million, CRV drops 16%
The DeFi protocol Curve Finance has become the target of multiple vulnerabilities, resulting in over $41 million in funds being drained. The initial attack targeted the pools of Alchemix, Metronome, and JPEGd, all of which had security flaws known as reentrancy vulnerabilities.
Table of Contents
Vyper Version Vulnerable to Reentrancy Bug
Curve Finance is a decentralized exchange (DEX) optimized for efficient stablecoin trading, providing multiple token pools. According to data compiled by blockchain security company Ancilia, the affected stablecoin pools, namely alETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH, all utilize a smart contract language called Vyper. Versions 0.2.15, 0.2.16, and 0.3.0 of Vyper are susceptible to reentrancy lock failures, allowing hackers to repeatedly extract funds from the smart contracts. As per PeckShield's statistics, assets worth $52 million have already been lost.
Our detection system detected hack tx: 0xb676d789bb8b66a08105c844a49c2bcffb400e5c1cfabd4bc30cca4bff3c9801, where hacker: 0xdce5d6b41c32f578f875efffc0d422c57a75d7d8 gained 7259ETH by exploiting the vulnerable contract: 0xc4c319e2d4d66cca4464c0c2b32c9bd23ebe784e pic.twitter.com/2atKPVkynx
— Ancilia, Inc. (@AnciliaInc) July 30, 2023
The Curve Finance team is currently assessing the situation and has stated that all pools except alETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH are secure and unaffected.
CRV Drops by 16%
According to CoinMarketCap data, the Curve DAO Token CRV dropped from 0.7376 to 0.5944 after the attack, rebounding to $0.62 before the deadline, marking a 16% decrease.
