Back

DeFi Ecosystem Suffers Fallout From $50M Curve Finance Exploit

author avatar

Written by
Martin Young

editor avatar

Edited by
Kyle Baird

31 July 2023 03:38 UTC
Trusted
  • The DeFi ecosystem was rocked as Curve Finance was exploited for over $50M in a reentrancy attack, impacting several protocols.
  • The exploit resulted in a $2.3B drop in Total Value Locked (TVL) across the DeFi ecosystem, with Curve Finance seeing a 44% TVL drop.
  • Despite a brutal CRV selloff, hackers still possess proceeds; failure of recovery could have serious implications for lending protocols.
Promo

The decentralized finance (DeFi) ecosystem has been severely shaken by the exploitation of the Curve Finance stablecoin lending platform. Various impacted protocols have experienced a tanking in total value locked, and the fallout is impacting areas far and wide.

A reentrancy attack caused an exploit on Curve Finance for upwards of $50 million on July 30. The exploit was across several stable pools running older versions of the Vyper smart contract programming language

Sponsored
Sponsored

Curve Finance Exploit Causes DeFi Fallout

Curve Finance alerted its users that a number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 “have been exploited as a result of a malfunctioning reentrancy lock.” It added that its crvUSD stablecoin pools were not affected. 

According to the Vyper official documentation, the recommended install is actually the faulty version. A bug in the smart contract language layer affects almost all protocols using Vyper.

Malicious actors are using reentrancy attacks to repeatedly re-enter a contract, resulting in unauthorized actions or fund theft. 

Sponsored
Sponsored

On July 31, blockchain security and auditing firm PeckShield reported that losses so far amounted to $52 million. Moreover, in addition to Curve, several protocols were impacted, including Alchemix, JPEG’d, Metronome, deBridge, and Ellipsis.

Aave Ethereum v2 version had also disabled its CRV borrowing function amid the panic. There is currently a $100 million CRV debt from protocol founder Michael Egorov teetering on liquidation. If CRV prices continue to rise and reach the liquidation threshold, the protocols will have to liquidate the CRV positions.

Find out How To Choose a Cryptocurrency Lending Platform

Some estimates have put the losses as high as $70 million. However, some of these funds are in the custody of whitehats and MEV bots and are potentially recoverable.

One such white hat with the address ‘c0ffeebabe.eth’ has already returned 2,879 ETH worth around $5.4 million to the Curve deployer address.

Total Value Locked Tanking

Sponsored
Sponsored

TVL across the entire DeFi ecosystem has tanked $2.3 billion since the exploit. As a result, ecosystem value locked is currently at $41.5 billion and still falling. 

The majority of this decline is from Curve Finance which has seen a TVL drop of 44% to $1.8 billion at the time of writing. 

CRV Price Chart in USD 1 week. Source: BeInCrypto 
CRV Price Chart in USD 1 week. Source: BeInCrypto 

CRV prices are also in trouble, with a 16% slump on the day to trade at $0.623. Furthermore, CRV has lost 23% over the past fortnight and remains down a whopping 96% from its all-time high. 

Despite the brutal CRV selloff, the hackers still have the proceeds, reported bankless. “Failure of recovery will result in the sale of CRV, which could have serious implications for lending protocols,” it added. 

Disclaimer

In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.