- Multiple stable pools on Curve Finance have been exploited for over $26 million in wETH and CRV.
- The affected stable pools were using Vyper which had a malfunctioning reentrancy lock.
- The exploit was followed by a second attack on the crv/eth pool, which led to an outflow of another $14 million.
- Native token CRV lost more than 19% of its value, reaching a four-week low of $0.61.
Leading DeFi protocol Curve Finance became the target of multiple exploits earlier today where attackers hit three stable pools resulting in an outflow of more than $40 million. The initial attack targeted the factory pools of Alchemix, Metronome, and JPEGd, all of which suffered from a security flaw called a reentrancy vulnerability.
Whitehat Operation Cut Short By Second Curve Finance Exploit
According to data compiled by blockchain security firm Ancilia, the affected stable pools, namely alETH, msETH, and pETH, all utilized a Pythonic Smart Contract Language called Vyper. Versions 0.2.15, 0.2.16, and 0.3.0 of Vyper were reportedly vulnerable to malfunctioning reentrancy locks, which allowed the hacker to repeatedly withdraw funds from the smart contract.
The attacker managed to exploit Alchemix to the tune of $13.6 million, while NFT lending protocol JPEGd lost $11.4 million. $1.6 million were drained from Metronome DAO’s sETH-ETH-f pool. The tokens associated with all three projects witnessed a significant downtrend following the exploits.
A white rescue operation was announced soon after reports of the exploits started taking over the crypto community on Twitter. Curve Finance assured the community that crvUSD contracts and associated pools were not affected by the attacks. The DeFi protocol further directed all affected parties to coordinate with the white hat efforts.
However before the white hat operation could ensure the safety of the funds, another attack was mounted on the crv/eth pool. Data from Etherscan showed that the attacker drained 7 million Curve DAO Tokens (CRV) and $14 million worth of wrapped Ether (wETH) in the exploit. The wallet used in this exploit was reportedly funded from Binance. The latest exploit brought the total loss to over $46 million.
The barrage of exploits had a significant impact on the tokens of the affected projects. CRV lost more than 19% of its value, reaching a four-week low of $0.61. At the time of writing, the token was trading at $0.63.