Curve Finance Vulnerability Exposes $100M+ Worth of Crypto; CRV Token Plummets

A vulnerability in the popular decentralized finance (DeFi) protocol Curve Finance has caused funds to be drained from a number of the protocol’s liquidity pools, while roughly $100 million remains at risk.

In a tweet from Sunday, the Curve team said that “a number” of its pools that uses version 0.2.15 of the Vyper programming language have been exploited due to “a malfunctioning reentrancy lock.”

“We are assessing the situation and will update the community as things develop,” the team added.

A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.

Other pools are safe. https://t.co/eWy2d3cDDj

— Curve Finance (@CurveFinance) July 30, 2023

In a follow-up tweet on Monday, the Curve team listed all pools that have been hacked so far as result of the vulnerability.

It also warned users to withdraw all funds held in the Arbitrum Tricrypto pool, which holds USDT, WBTC and ETH tokens.

Just in case the hacker can outsmart top auditors and vyper devs

— Curve Finance (@CurveFinance) July 31, 2023

As of now, as much as $100 million worth of crypto remains at risk in the mentioned Curve pools, representing a significant risk for the entire protocol’s reputation.

Curve Finance, which is a decentralized exchange (DEX) for stablecoins that uses the automated market maker (AMM) model to manage liquidity, has traditionally been seen as one of the most solid projects in crypto.

CRV token plummets

Following the recent events, however, the price of Curve Finance’s native CRV token has plummeted in the market.

As of press time on Monday, the token was down 12% for the past 24 hours alone, and down more than 15% for the past 7 days.

Over the past 12 months, the CRV token has lost more than half of its value, while other major cryptoassts like Bitcoin (BTC) and Ether (ETH) have risen in price.

The vulnerability pointed to by Curve is the same type of vulnerability as DeFi protocols Era Lend and Conic Finance said was responsible for draining funds from them last week.

Already, a white hat hacker has recovered 2,870 ETH, worth around $5.4 million, to Curve Finance following the recent hacking incidents.