{"id":82486,"date":"2023-08-01T19:24:21","date_gmt":"2023-08-01T16:24:21","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=82486"},"modified":"2025-09-12T05:22:44","modified_gmt":"2025-09-12T02:22:44","slug":"expert-curve-hack-a-minor-incident-compared-with-secs-actions","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/expert-curve-hack-a-minor-incident-compared-with-secs-actions\/","title":{"rendered":"Expert: Curve hack a minor incident compared with SEC&#8217;s actions"},"content":{"rendered":"<p>On July 30, attackers exploiting a vulnerability in the Vyper compiler hacked a number of liquidity pools on the decentralized exchange Curve Finance and <a href=\"https:\/\/forklog.com\/en\/news\/hacker-drains-curve-finance-liquidity-pools-of-47-million\">stole more than $50 million<\/a> in various tokens. Because of the bug, more than 450 pools were at risk at the moment of the incident. ForkLog discussed the case with experts.<\/p>\n<h2 class=\"wp-block-heading\">What happened?<\/h2>\n<p>According to <a href=\"https:\/\/hackmd.io\/@LlamaRisk\/BJzSKHNjn\">the Llama Risk report<\/a>, the cause of the Curve Finance hack was a faulty reentrancy lock in certain versions of the Vyper compiler.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\n<cite>\u00abCurve contracts became vulnerable when calling the raw_call function to send native tokens. Each affected Curve pool used one of the problematic Vyper versions and contained pairs with native ETH. Pools in the WETH pair were not affected\u00bb, \u2014 noted the specialists.<\/cite><\/p><\/blockquote>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/1-770.webp\" alt=\"1-770\" class=\"wp-image-212728\"\/><figcaption class=\"wp-element-caption\">Data: <a href=\"https:\/\/twitter.com\/vyperlang\/status\/1685692973051498497\">X<\/a>.<\/figcaption><\/figure>\n<p>As explained to ForkLog by representatives of the analytics firm Crystal Blockchain, the vulnerability allowed attackers to create smart contracts that could perform transactions without user authorization. <\/p>\n<p>The incident <a href=\"https:\/\/twitter.com\/hapi_labs\/status\/1686093132088152064\">affected projects<\/a> Alchemix, JPEG\u2019d, MetronomeDAO, Ellipsis and deBridge.<\/p>\n<p>The most affected pools:<\/p>\n<ul class=\"wp-block-list\">\n<li>pETH\/ETH \u2014 6,106.65 WETH (~$11 million);<\/li>\n<li>msETH\/ETH \u2014 866.55 WETH (~$1.6 million) and 959.71 msETH (~$1.8 million);<\/li>\n<li>alETH\/ETH \u2014 7,258.7 WETH (~$13.6 million) and 4,821.55 alETH (~$9 million);<\/li>\n<li>CRV\/ETH \u2014 7,193,401.77 CRV (~$5.1 million at the time of the incident), 7,680.49 WETH (~$14.2 million) and 2,879.65 ETH (~$5.4 million).<\/li>\n<\/ul>\n<p>The Arbitrum Tri-Crypto pool could also potentially have been affected. Auditors and Vyper developers could not confirm the existence of the exploit, but Curve advised liquidity providers to exit it as a precaution. <\/p>\n<p>Despite the impossibility of stopping the pool or affecting users&#8217; funds through emergency <a href=\"https:\/\/forklog.com\/en\/news\/what-is-a-dao-decentralised-autonomous-organisation\">DAO<\/a> measures, the issuance of additional CRV was frozen.<\/p>\n<h2 class=\"wp-block-heading\">Tweets that aggravated the incident<\/h2>\n<p>In the first minutes after the hack, analyses from BlockSec and PeckShieldAlert posted on X (formerly Twitter) excerpts of the Vyper compiler&#8217;s open-source code with details of the vulnerability. Such actions drew sharp condemnation from the community, after which the original posts were removed.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/2-626.webp\" alt=\"2-626\" class=\"wp-image-212729\"\/><figcaption class=\"wp-element-caption\">Data: <a href=\"https:\/\/twitter.com\/LefterisJP\/status\/1685752260465180673\">X<\/a>.<\/figcaption><\/figure>\n<p>According to HAPI Labs&#8217; head of analytics and research, Mark Leczyuk, the BlockSec and PeckShield tweets gave external hackers the opportunity to \u201cjoin the hack\u201d and worsen the situation.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\n<cite>\u00abDuring the incident, such actions were absolutely unacceptable, especially for cheap PR. They should report attack details to the project directly or contact those who are still running the vulnerable compiler version\u00bb, \u2014 explained him.<\/cite><\/p><\/blockquote>\n<p>Leczyuk added that pools were attacked by several independent hackers. Among them were some &#8220;white hat&#8221; hackers, through whom the project managed to recover part of the stolen funds. In particular, 2,879.65 ETH (~$5.4 million) stolen from the CRV\/ETH pool by c0ffeebabe.eth has already been returned to Curve Finance. <\/p>\n<p>After the wave of criticism, BlockSec representatives replied that when posting the tweet with attack details they were guided by the need to warn the community as quickly as possible, since the Curve Finance team was not reachable.<\/p>\n<h2 class=\"wp-block-heading\">Impact on the DeFi sector<\/h2>\n<p>At the time of the incident, more than 450 liquidity pools used vulnerable Vyper compiler versions, so the number of victims and losses could be much larger, according to HAPI Labs experts. Such a scenario, they say, could have triggered unprecedented panic and a liquidity drain across the entire DeFi space.<\/p>\n<p>The issue with the compiler is now resolved. Developers noted that the attacker had to \u201cdig deeply\u201d into the version history to locate this not-so-obvious flaw.<\/p>\n<p>DeFi researcher going by the nickname Ignas, in a comment to <a href=\"https:\/\/www.theblock.co\/post\/242159\/curve-finance-exploit-has-shaken-confidence-in-defi\">The Block<\/a>, stated that the Curve Finance incident has &#8220;shaken confidence in DeFi.&#8221;<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\n<cite>\u00abIf a protocol that worked fine for three years suffers from an exploit, the question arises how safe are other \u201cblue chips\u201d like Aave, Compound or even Uniswap. There are huge risks in the event of a hack of Uniswap v4 with its monolithic smart-contract design, as all assets would be instantly vulnerable\u00bb, \u2014 he said.<\/cite><\/p><\/blockquote>\n<p>Ignas also noted that several protocols whose synthetic assets depend on CRV liquidity could be in debt to users. In particular, he mentioned liquidations at Aave, Frax and Abracadabra totaling $100 million after the attack. <\/p>\n<p>In his view, the incident could slow institutional adoption of DeFi. <\/p>\n<p>Meanwhile, MakerDAO co-founder Rune Christensen <a href=\"https:\/\/twitter.com\/RuneKek\/status\/1686023322675400707?t=lhL2pMpdARV7XNo3NXhXyQ&#038;s=19\">thinks<\/a> that the Curve Finance exploit will be the \u201clast crash\u201d before a new upswing in the crypto market. <\/p>\n<p>He agrees with Nostra founder David Garay: <a href=\"https:\/\/twitter.com\/davgarai\/status\/1686024863394168833\">agrees<\/a>.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\n<cite>\u00abThis could also be a turning point when lending protocols finally begin proactively monitoring liquidity in the network for every embedded type of collateral\u00bb.<\/cite><\/p><\/blockquote>\n<p>Meanwhile, Indefibank CEO Sergey Mendeleev, in a ForkLog comment, pointed to the minor impact of the hack on the DeFi market.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\n<cite>\u00abCurve Finance is a large protocol that covers all losses, and users ultimately won\u2019t notice anything. I would not pay attention to this minor incident at all. The actions of the U.S. Securities and Exchange Commission and European regulators pose a significantly greater threat to the crypto market and DeFi in particular\u00bb, \u2014 said the expert.<\/cite><\/p><\/blockquote>\n<p>Earlier, Forklog reported that the wallet belonging to Tron co-founder Justin Sun <a href=\"https:\/\/forklog.com\/en\/news\/justin-sun-buys-2-9-million-worth-of-crv-tokens\">transferred 2 million USDT from the Aave network<\/a> and sent them to Curve Finance&#8217;s DeFi protocol head Mikhail Egorov in exchange for 5 million CRV (~$2.9 million at the time of writing).<\/p>\n<p>As noted, during July crypto traders lost digital assets <a href=\"https:\/\/forklog.com\/en\/news\/crypto-industry-lost-303m-in-july-due-to-hackers\">to a total of $303 million<\/a> due to exploits and hacker attacks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On July 30, attackers hacked a number of Curve Finance liquidity pools and stole more than $50 million in various tokens.<\/p>\n","protected":false},"author":1,"featured_media":82487,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1154,1426,1093,1138],"class_list":["post-82486","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-crimes","tag-curve-crv","tag-defi","tag-opinions"],"aioseo_notices":[],"amp_enabled":true,"views":"26","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/82486","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=82486"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/82486\/revisions"}],"predecessor-version":[{"id":82488,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/82486\/revisions\/82488"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/82487"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=82486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=82486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=82486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}