A major exploit has drained upwards of $100 million worth of cryptocurrency from Curve, a stablecoin exchange at the heart of decentralized finance (DeFi) on Ethereum. Curve relies on smart contracts instead of middlemen to offer financial services such as stablecoin borrowing, trading, and lending to users. According to a tweet from the project, the exploit was a result of a “re-entrancy” bug in Vyper, a programming language used to power parts of the Curve system.
“As a result of an issue in Vyper compiler in versions 0.2.15-0.3.0, following pools were hacked: crv/eth, aleth/eth, mseth/eth, peth/eth,” Curve tweeted Monday. Reentrancy is a common bug that allows attackers to trick a smart contract by making repeated calls to a protocol in order to steal assets. BlockSec, a blockchain auditing firm, estimated the total losses above $42 million in a preliminary analysis posted to Twitter.
Curve Finance has managed to get some money back thanks to bot operator ‘c0ffeebabe.eth’ returning 2,879 ETH, worth nearly $5.5 million at current prices, to the platform. The heist destabilized trading markets for Curve DAO’s native CRV token, which was down 17% on the day at a price of $0.61 as of press time. The total value of assets locked on Curve nosedived to $1.7 billion on Monday from more than $3 billion on Sunday, according to data provider DeFiLlama, as investor capital likely fled the exchange.
The exploit has caused a ripple effect across the DeFi space, with lending and borrowing protocol Aave disabling its CRV borrowing function amid the panic. A massive $100 million CRV debt from Curve founder Michael Egorov on Aave is nearing liquidation – and if CRV prices were to continue to rise and reach the liquidation threshold, the protocols will have to liquidate the CRV positions. Other projects that use the Vyper programming language could share the same vulnerability.