Curve Finance Suffers $70M Exploit, Hackers Go Rampant

Learn about the Curve Finance exploit, which caused over $70 million in losses. This article covers the affected pools and token price action

Table of Contents

Introduction

The decentralized finance (DeFi) industry has been a hotbed of development and innovation, providing a wide range of financial services without the need for traditional middlemen. However, doing so exposes you to dangers and weaknesses that bad actors might exploit. Curve Finance, a well-known decentralized exchange, was recently hit by one such event.

A series of assaults on Curve Finance, a prominent decentralized exchange (DEX) in the DeFi area, caused over $70 million in losses. The attack began with exploiting a coding fault and struck many pools, but Alchemix was one of the most hit. Although good hackers may have prevented more damage, worries about knock-on consequences and bad debt persist. 

Despite the chaos, some money has been retrieved courtesy to MEV searchers. Attacks on the Binance Smart Chain (BSC) are carbon copies of those on other blockchains owing to flaws in the Vyper programming language.

 

Affected pools

On that fateful Sunday, the Curve Finance decentralized exchange was the target of a series of hacks that stole digital assets worth over $70 million. The assaults, which were carried out by taking advantage of a flaw in the code, hit many pools at once, including the pETH-ETH liquidity pool operated by JPEG, the alETH-ETH pool used by Alchemix, the CRV/ETH pool, the pETH-ETH pool used by Pendle, and the msETH-ETH pool operated by Metronome.

Curve Finance Statement | Source: Twitter

The total amount lost might be closer to $50 million, even though certain breaches were carried out by white hat hackers, reducing some damages. Curve’s many contracts were written in the programming language Vyper, which has a security flaw that allowed for theft. The vulnerability was due to a false assumption about safeguards’ effectiveness in preventing “reentrancy” attacks.

 

More hacks

Two hours after the disclosure, a new exploit of the CRV-ETH pool drained an additional $5.2 million. This is despite public comments stating that all impacted pools had been emptied or white hacked.

After the assault, Alchemix took swift measures to suspend some contracts, such as the “transmuter” contract and the “bridge to optimism,” to mitigate any additional fallout. However, the full scope of the destruction is yet unknown, and estimates of the losses have varied widely. Given that $60 million of creator Michael Egorov’s Aave V2 loan is backed by CRV tokens, which might be challenging to sell in the event of bad debt, the scenario has put the question on the future stability of the protocol.

Similar attacks, this time on the BNB Smart Chain (BSC), were launched because of a flaw in the Vyper programming language. Identical to the defi protocol hack used by Curve Finance.

BlockSec, a blockchain security company, said on July 30 that three distinct attacks had stolen over $73,000 worth of cryptocurrency from the BSC. This new event was similar to the continuing attacks on Ethereum’s Curve Finance platform.

BlockSec | Source: Twitter

 

Token Price Action

Tokens like CRV, the governance token for Curve Finance, witnessed a sharp decline in value, plummeting by 13% to $0.638 as of press time, with a previous dip to $0.58 during the height of the exploit. 

$CRV 24-hour chart | Source: CMC

Similarly, Alcemix’s governance token $ALCX fell approximately 7% due to their attack on their alET-ETH pool. The token is now trading at $13.09, 5.9% below its previous 24-hour price as of press time, according to CoinMarketCap stats. 

 

Conclusion

The latest breach at Curve Finance has shown how crucial it is to have solid security in the DeFi industry. Significant monetary losses and damaged investor trust may result from vulnerabilities in programming languages like Vyper. But the DeFi community has shown resilience in the face of such threats, with white hat hackers and MEV searchers playing critical roles in limiting the damage and retrieving stolen assets.

Constant work to enhance security practices and fortify procedures is necessary to establish confidence and encourage long-term development in the DeFi industry. Furthermore, vigilance across all blockchain ecosystems is required in light of the recent copycat assaults on the Binance Smart Chain. The industry will get the knowledge it needs to overcome the obstacles and fully realize the benefits of decentralized financing as time goes on.

Sponsored content

Related Articles

See All