31 Jul, 2023

Hackers Exploit Curve Liquidity Pools, Stealing $47M from DeFi Protocols

Yulia Zakharchuk
Written by
Julia Zakharchuk
Yulia Zakharchuk Julia Zakharchuk Expert Author
Julia is a professional crypto and blockchain writer known for her insightful YouTube channel "MoneyFest." She showcases her dynamic presentation skills as a host and moderator at blockchain conferences. Julia drives also business development at ChainUp and advises UNITBOX, an innovative NFT renting protocol. With her exceptional expertise, Julia is a highly valued industry contributor...
Fact checked by
Vladimir Nikitin
vladimir-niktin Vladimir Nikitin Expert
Vladimir Nikitin is the CIO and Co-founder of Lifty.io, leveraging his extensive entrepreneurial experience. With over six years in the blockchain industry, he initially held the position of Head of Partnerships at ICObench, the world's leading ICO project rating platform. Subsequently, he took on the role of CEO at SpaceSwap, one of the pioneering Yield...
Curve exploit


On July 30, hackers found a vulnerability that caused the Curve exploit, leading to a loss of over $47 million across several decentralized finance (DeFi) protocols.

The attack targeted a vulnerability within the liquidity pools on Curve, an automated market maker (AMM) platform.

A Key to the Breach

Vyper, a third-party service used by Curve Finance, versions 0.2.15-0.3.0 malfunctioned, failing to implement reentrancy locks correctly. Security firm Ancilia found that many contracts utilized these vulnerable versions, enabling unauthorized access to funds.

Vyper, resembling Python, is vital for Ethereum smart contract development. The company immediately began investigating and urged projects relying on the flawed versions to contact them.

The Attack on Curve and JPEG’d

Curve Finance’s CEO also confirmed that $22 million in CRV tokens were drained.

Its utility token declined by over 12%, but the protocol assured that the attack didn’t affect crvUSD contracts or associated pools.

CRV token decline
CRV token 12% decline | Source: coinmarketcap

Hackers have previously targeted the protocol, and DeFi hacks surged, swindling over $204 million in Q2 of 2023 alone.

The NFT lending protocol JPEG’d also suffered heavily, losing $11 million in cryptocurrency. Initially, Curve referred to the flaw as a conventional, avoidable read-only “re-entrancy” exploit.

However, the platform later clarified this claim. Subsequently, the attackers exploited this vulnerability, which was eventually traced to a flaw in Vyper.

Attackers exploited Alchemix and Metronome DAO

JPEG’d was not alone in its losses, as Alchemix and Metronome DAO also fell victim to similar issues. They lost $13.6 million and $1.6 million, respectively.

Interestingly, a maximal extractable value (MEV) bot identified the attacker’s transaction and paid a charge to carry out a similar transaction, effectively front-running the attacker.

Vyper acknowledged that the compiler for the programming language had failed, rendering the re-entry guards in the projects’ code inoperable. The failure of the guards, designed to protect against such re-entry attacks, illustrates the critical nature of this flaw.

Lessons from the Attack

The theft of $47 million and the jeopardizing of over $100 million from DeFi protocols sternly remind us of the risks associated with the emerging world of decentralized finance. The incident highlights the need for continuous vigilance, robust security measures, and the thorough evaluation of third-party tools and languages in the rapidly evolving crypto landscape.