{"id":82385,"date":"2023-07-31T11:06:12","date_gmt":"2023-07-31T08:06:12","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=82385"},"modified":"2025-09-12T04:43:46","modified_gmt":"2025-09-12T01:43:46","slug":"hacker-drains-curve-finance-liquidity-pools-of-47-million","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hacker-drains-curve-finance-liquidity-pools-of-47-million\/","title":{"rendered":"Hacker drains Curve Finance liquidity pools of $47 million"},"content":{"rendered":"<p>On July 30, an unknown attacker targeted Curve Finance&#8217;s stablecoin pools <span data-descr=\"decentralized exchange\" class=\"old_tooltip\">DEX<\/span> Curve Finance and withdrew about $47 million, exploiting a vulnerability in the Vyper code.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/Snimok-ekrana-2023-07-31-v-09.49.38.webp\" alt=\"Snimok-ekrana-2023-07-31-v-09.49.38\" class=\"wp-image-212534\"\/><figcaption class=\"wp-element-caption\">Data: <a href=\"https:\/\/twitter.com\/CurveFinance\/status\/1685693202722848768?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1685693202722848768%7Ctwgr%5E1a21e9f7eebe74756aaf7fe038fda17c18b6de6d%7Ctwcon%5Es1_&#038;ref_url=https%3A%2F%2Fcointelegraph.com%2Fnews%2Fcurve-finance-pools-exploited-over-24-reentrancy-vulnerability\">X<\/a>.<\/figcaption><\/figure>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cSeveral stable pools (alETH\/msETH\/pETH), using Vyper 0.2.15, were hacked due to a flaw in the reentrancy mechanism. We are assessing the situation and will inform the community as events unfold. Other pools are safe,\u201d Curve representatives wrote.<\/p>\n<\/blockquote>\n<p>Vyper is a contract-oriented programming language based on Python, designed for the Ethereum Virtual Machine. The developers acknowledged that the reentrancy exploit affects versions 0.2.15, 0.2.16 and 0.3.0.<\/p>\n<p>Analysts at <a href=\"https:\/\/twitter.com\/AnciliaInc\/status\/1685720461693325312\">Ancilia<\/a> say that about 460 protocols used the vulnerable software.<\/p>\n<p>According to Curve&#8217;s investigation, some code compilers mis-implemented the reentrancy protection, which prevented the simultaneous execution of multiple functions by locking the contract.<\/p>\n<p>A number of DeFi projects on Curve were affected, including JPEG\u2019d, MetronomeDAO, deBridge and Ellipsis. The largest loss was the alETH-ETH Alchemix pool \u2014 $13.6 million.<\/p>\n<p>BlockSec researchers also reported that a similar exploit affected three projects on BNB Smart Chain. In total, the attacker withdrew from protocols on the network about $73,000.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/Snimok-ekrana-2023-07-31-v-10.07.54.webp\" alt=\"Snimok-ekrana-2023-07-31-v-10.07.54\" class=\"wp-image-212535\"\/><figcaption class=\"wp-element-caption\">Data: <a href=\"https:\/\/twitter.com\/BlockSecTeam\/status\/1685741725103583233?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1685741725103583233%7Ctwgr%5E4d015359e482110f833f0f12a39ed1c0d9e0fedb%7Ctwcon%5Es1_&#038;ref_url=https%3A%2F%2Fcointelegraph.com%2Fnews%2Fvyper-copycat-exploit-on-bsc-bnb-smart-chain-curve\">X<\/a>.<\/figcaption><\/figure>\n<p>A white-hat hacker and operator of the <a href=\"https:\/\/forklog.com\/en\/news\/what-is-mev-in-ethereum\">MEV<\/a> bot, under the handle c0ffebabe.eth, managed to custody the 2,879 ETH stolen from the pools, worth about $5.4 million, after asking affiliated protocols to contact him to recover the assets. Later he transferred another 1,000 ETH (~$1.8 million) to a cold wallet.<\/p>\n<p>According to <a href=\"https:\/\/defillama.com\/protocol\/curve-finance?events=true\">DeFi Llama<\/a>, total value locked (TVL) of Curve Finance over the 24 hours fell by nearly half \u2014 from $3.25 billion to $1.73 billion.<\/p>\n<p>Curve DAO Token (CRV), the project&#8217;s utility token, dropped 11.5% in 24 hours, according to <a href=\"https:\/\/www.coingecko.com\/ru\/%D0%9A%D1%80%D0%B8%D0%BF%D1%82%D0%BE%D0%B2%D0%B0%D0%BB%D1%8E%D1%82%D1%8B\/curve-dao-token\">CoinGecko<\/a>. At the time of writing, the asset was trading at $0.6492.<\/p>\n<p>South Korea&#8217;s largest exchange Upbit <a href=\"https:\/\/upbit.com\/service_center\/notice?id=3656\">announced<\/a> that, due to the attack, CRV volatility increased, and the platform suspended all deposits and withdrawals for the token.<\/p>\n<p>Earlier in July, the hacker <a href=\"https:\/\/forklog.com\/en\/news\/defi-protocol-rodeo-finance-hacked-for-1-5-million\">withdrew<\/a> $1.5 million from the DeFi protocol Rodeo Finance through oracle manipulation.<\/p>\n<p>The attacker then targeted the Alphapo project. Losses from the breach <a href=\"https:\/\/forklog.com\/en\/news\/alphapo-hack-losses-estimated-at-60-million\">totaling about $60 million<\/a>.<\/p>\n<p>For the first half of 2023, the crypto industry <a href=\"https:\/\/forklog.com\/en\/news\/analysts-tally-hacker-attacks-on-crypto-projects-over-six-months\">suffered 395 hacks<\/a>, losing about $479.4 million.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On July 30, an unknown attacker targeted Curve Finance&#8217;s stablecoin pools, a decentralized exchange, and withdrew about $47 million, exploiting a vulnerability in the Vyper code.<\/p>\n","protected":false},"author":1,"featured_media":82386,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1426,44],"class_list":["post-82385","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-curve-crv","tag-cybercrime"],"aioseo_notices":[],"amp_enabled":true,"views":"29","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/82385","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=82385"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/82385\/revisions"}],"predecessor-version":[{"id":82387,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/82385\/revisions\/82387"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/82386"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=82385"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=82385"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=82385"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}