Curve, a stablecoin exchange at the heart of decentralized finance (DeFi) on Ethereum, has been the victim of an exploit according to a tweet from the project.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.Other pools are safe. https://t.co/eWy2d3cDDj
— Curve Finance (@CurveFinance) July 30, 2023
Upwards of $100 million worth of cryptocurrency are at risk due to a “re-entrancy” bug in Vyper, a programming language used to power parts of the Curve system. Several stablecoin pools on the platform — used for pricing and liquidity on a number of different DeFi services — have been drained by hackers so far.
Other projects that use the Vyper programming language could share the same vulnerability.
It was unclear at press time how much had been drained from Curve as a result of the attack. BlockSec, a blockchain auditing firm, estimated the total losses above $42 million in a preliminary analysis posted to Twitter.
Please note that this reentrancy issue is associated with the use of 'use_eth', which could potentially place the WETH-related pools in jeopardy! @CurveFinance , please DM us if you need any help. https://t.co/vjc1RRce7w pic.twitter.com/Wz8DXJZK7Y
— BlockSec (@BlockSecTeam) July 30, 2023
The heist destabilized trading markets for Curve DAO’s native CRV token, which was down 17% on the day at a price of $0.61 as of press time. That price action threatened to compound the chaos by potentially forcing a liquidation on the founder of Curve’s $70 million borrowing position on Aave.
This is a developing story.
