Curve Finance, a prominent decentralized finance (DeFi) protocol, was exploited by hackers, leading to about $48 million loss of user funds and a subsequent fall in its native cryptocurrency, Curve (CRV). Blockchain security experts traced the exploit to a glitch in a specific version of Vyper, the platform’s programming language, impacting various stable pools, including alETH/msETH/pETH.
More Details
The Vyper team acknowledged the vulnerability on Twitter, stating that versions 0.2.15, 0.2.16, and 0.3.0 were susceptible to malfunctioning reentrancy attacks. However, Curve Finance founder, Michael Egorov, has yet to provide an official statement.
The only notice from the team was an assurance to the community that they are actively assessing the situation and will provide updates as they develop. The exploit severely affected Curve Finance’s native token, CRV, with its value experiencing a sharp decline of approximately 13% in less than 24 hours after the hack.
Currently, CRV is trading at $0.632, with a 24-hour trading volume of $284,113,772 and a market cap of $572,992,241, ranking it at 68 in market cap rankings. Earlier reports suggested that the hacker managed to steal nearly $20 million in CRV and a version of Ether.
However, an updated report by Blockchain sleuth BlockSec revealed that the hacker had stolen over $40 million. Analysts opined that the vulnerability associated with the use of ‘use_eth’ often poses a risk to WETH-related pools, further compounding the magnitude of the attack. Moreover, the exploit had ripple effects on other major cryptocurrencies.
For instance, Bitcoin (BTC), the largest cryptocurrency by market cap, decreased by 0.53%, dropping to $29,106 from $29,353 in the last 24 hours. Similarly, Ether (ETH), the second-largest cryptocurrency, fell by 0.59% during the same period.
Hacker Returns $5.4 Million in Stolen Funds, But Vulnerabilities Persist
Meanwhile, multiple reports reveal that the hacker responsible for the Curve Finance exploit has returned 2,879 ETH, amounting to around $5.4 million, to the protocol’s deployer address. Despite the return of some funds, the investigation into the hack is still ongoing.
Several blockchain security experts have expressed willingness to collaborate closely with the Vyper team to address the vulnerabilities that allowed the exploit. Thus, a similar incident won’t happen again.
Preventative measures are crucial to safeguarding user funds and maintaining trust in DeFi platforms.
Curve Finance‘s TVL Declines By 43% Post-Exploit
Following the exploit and loss of funds, Curve Finance’s total value locked (TVL) dropped significantly by nearly 43.5%. Its TVL dropped from $3.26 billion to $1.87 billion, according to data from the analytics platform, DeFiLlama.
This is not the first time Curve Finance has fallen victim to hacker exploits. Recently, hackers used a reentrancy attack to exploit its Conic Finance Omni pool, resulting in a loss of $3.6 million in Ethereum. These repeated attacks raise concerns about the protocol’s security measures and highlight the urgency of implementing enhanced safeguards to protect users’ funds.
DeFi attacks remain a significant concern for crypto industry players. While these attacks have slowed down in 2023 compared to 2022, the DeFi sector still lost more than $500 in the first half of 2023, indicating a need to urgently find a permanent solution to this issue.