Cyber Incident Victim: Curve Finance

The Curve Finance stablecoin exchange suffered a cyber attack on or around July 30, 2023, resulting in losses estimated at approximately $50 million. The attack was not due to a flaw within Curve's own protocols but was instead caused by a vulnerability inherent in specific versions of the Vyper programming language, which is used to write smart contracts on the Ethereum blockchain. Vyper itself officially confirmed that its versions 0.2.15, 0.2.16, and 0.3.0 were vulnerable to a malfunction in their reentrancy locks. Reentrancy is a well-known class of smart contract vulnerability that allows an attacker to repeatedly call a function within a protocol before previous executions are finalized, thereby enabling the malicious withdrawal of funds in excess of what should be permissible. This specific vulnerability in these Vyper compiler versions provided the attack vector exploited against Curve Finance.

Unlike traditional exchanges that utilize intermediaries, Curve Finance operates in a decentralized manner, relying on automated smart contracts to provide users with services including stablecoin trading, borrowing, and lending. These smart contracts, some of which were written in the affected Vyper versions, govern various liquidity pools. The hackers exploited the Vyper vulnerability to drain several of these stablecoin pools, which are critical for providing pricing and liquidity across a wide array of decentralized finance (DeFi) services. Curve Finance confirmed that a number of stablepools, specifically those involving alETH/msETH/pETH, which utilized Vyper 0.2.15, had been exploited as a direct result of the malfunctioning reentrancy lock. The platform was quick to note that other pools not relying on these vulnerable compiler versions remained safe as the incident unfolded.

The financial impact of the exploit was significant and multifaceted. According to Curve Finance CEO Michael Egorov, the crv/eth swap pool was drained of 32 million CRV tokens. CRV is the platform's native governance token, and this quantity was valued at over $22 million at the time of the incident. Beyond this, the attack affected multiple other pools hosted on the Curve platform. Alchemix’s alETH-ETH pool suffered a loss of $13.6 million, while JPEGd’s pETH-ETH pool lost $11.4 million. An additional $1.6 million was taken from Metronome’s sETH-ETH pool. These figures brought the total confirmed losses from the Curve platform itself to at least $48.6 million worth of cryptocurrency. Furthermore, the platform issued a warning concerning its Tricrypto pool, which consists of USDC, wBTC, and ETH, noting that while auditors and Vyper developers had been unable to find a profitable exploit for it, users should consider exiting that pool as a precautionary measure. In total, the vulnerability was assessed to have put over $100 million worth of crypto assets at risk across various pools on the Curve platform.

The incident's scope extended beyond just Curve Finance, highlighting the systemic risk posed by a vulnerability in a common programming language tool. Another exchange, Ellipsis, which is based on the BNB Chain, disclosed that a small number of its stablepools utilizing BNB and an old Vyper compiler had also been exploited. Ellipsis did not immediately release the specific value of assets lost from its platform, but its announcement confirmed that the Vyper vulnerability had a broader impact across the DeFi ecosystem, affecting multiple independent projects that relied on the compromised compiler versions. This wider impact underscored the interconnected nature of DeFi, where a single point of failure in a shared infrastructure component can lead to widespread collateral damage.

The cyber attack triggered considerable panic throughout the entire DeFi ecosystem. This fear manifested in a wave of transactions as users rushed to withdraw funds from potentially vulnerable pools. The event also spurred a white hat rescue effort, an instance of which led to the recovery of some funds for Curve Finance. A bot operator known as ‘c0ffeebabe.eth’ successfully returned 2,879 ETH, which was approximately equivalent to $5.5 million at prevailing values, to the platform. This recovery was part of a complex on-chain activity where the white hat entity effectively intervened to secure funds that were otherwise being targeted by malicious actors.

The panic had immediate and severe consequences for the CRV token and related DeFi protocols. The lending and borrowing protocol Aave responded to the market turmoil by turning off its CRV borrowing feature. This action was particularly significant due to the financial position of Curve CEO Michael Egorov, who was reported to owe a substantial $100 million debt in CRV tokens on the Aave platform. The exploit caused a sharp decline in the price of the CRV token, increasing the risk of liquidation for Egorov's large position. If the token's price were to fall further and hit a specific liquidation threshold, the Aave protocol would be forced to automatically liquidate the CRV collateral, an event that could create immense selling pressure and exacerbate the token's price decline in a negative feedback loop. According to market data, the CRV token price dropped by over 12% following the exploit, trading at around $0.6386. The volatility prompted the South Korean cryptocurrency exchange Upbit to suspend all deposits and withdrawals of the CRV token, issuing a warning to its users about the significant volatility and advising caution regarding any investments related to CRV. The incident served as a stark reminder of the fragility within the DeFi space, where technical vulnerabilities can quickly translate into widespread financial instability and market contagion.