A Chain Reaction in DeFi: Inside the $70 Million Curve Finance Heist

MV Global
10 min readAug 3, 2023

Chapter 1: Introduction and Overview of the Exploit

Curve Finance, a decentralized exchange (DEX) pivotal to Ethereum’s DeFi ecosystem, was thrust into turmoil on Sunday following a series of hacks that drained over $70 million from various digital assets. A cornerstone for stablecoin swap markets, Curve’s significance in the DeFi landscape made this exploit particularly alarming.

The heist began around 9:30 am ET, with an initial attack on the pETH-ETH liquidity pool for over $11 million. Subsequent attacks on four other pools, including Alchemix’s alETH-ETH pool and Metronome’s msETH-ETH pool, escalated the total loss. Some hacks were reportedly executed by whitehat hackers, potentially reducing the final damage to closer to $50 million.

The chaos emanated from a zero-day vulnerability in specific versions of Vyper, the programming language used by Curve for multiple contracts. This vulnerability exposed a flaw in “reentrancy” preventions, a common safeguard against unauthorized access. The ensuing reentrancy attacks exploited this flaw, allowing the theft of substantial funds.

In the immediate aftermath, the Curve team responded swiftly, draining affected pools or securing them through whitehat hacking. A statement on Curve’s Discord from team representative “mimaklas” assured the community that all unaffected pools were safe. However, even after this announcement, another exploit drained an additional $5.2 million, suggesting the situation was far from resolved.

This incident not only sent shockwaves through the Curve community but also led to finger-pointing between development teams, as Curve seemed to blame other developers in deleted tweets. Amidst the chaos, Curve’s CRV governance and rewards token fell by 13.4%, reflecting broader market anxiety.

A complex and rapidly unfolding situation, the Curve Finance exploit presents a cautionary tale in the world of decentralized finance, where code vulnerabilities can lead to significant financial loss and erode trust within the community.

Chapter 2: The Technical Details and Timeline of the Hack

Source: https://twitter.com/BlockSecTeam/status/1685742026749300736/photo/2
Source: https://twitter.com/BlockSecTeam/status/1685742026749300736/photo/2

The exploit that drained over $70 million from Curve Finance unfolded in a meticulously orchestrated series of attacks, revealing a critical vulnerability in the compiler for Vyper, the programming language employed by Curve.

Timeline of Attacks:

9:30 am ET: The onslaught began with an exploit of JPEG’d’s pETH-ETH liquidity pool, resulting in over $11 million in theft.

Following Hours: Four more targeted attacks drained various pools, including Alchemix’s alETH-ETH pool and the CRV/ETH pool, twice. The total loss reached over $70 million, but whitehat hacking activities might have reduced the final damage to around $50 million.

4:30 pm ET: The Curve team assured the community that all affected pools were secured. However, a subsequent exploit at 6:30 pm ET drained an additional $5.2 million, indicating that the threat was not entirely neutralized.

The Zero-Day Vulnerability:

At the heart of the exploit was a zero-day vulnerability in particular versions of Vyper. This vulnerability was rooted in a flawed assumption about “reentrancy” preventions. Usually a robust safeguard, the reentrancy lock malfunctioned, enabling repeated unauthorized access to assets.

Reentrancy attacks are a common exploit vector in the world of smart contracts. They occur when an attacker can enter a contract and interact with it multiple times before the contract can update its own state. In this case, the malfunctioning lock allowed the exploiter to repeatedly access and drain funds.

Source: https://twitter.com/CurveFinance/status/1685693202722848768?s=20

The discovery of this vulnerability ignited a blame game between development teams. The official Curve Twitter account initially seemed to blame JPEG’d’s developers, only to delete the tweet later. Dr. Laurence Day, a smart contract expert, cautioned against finger-pointing, emphasizing the complexity of compilers and the assumptions made by developers.

Adding to the complexity, Curve has been a vital supporter of Vyper, even funding its development. Some Curve team members are actively involved in maintaining the Vyper codebase, intertwining the responsibilities and reactions of both parties.

The exploit served as a stark reminder of the intricacies and inherent risks of smart contract development. It exposed the fragility of assumptions and the potential for catastrophic failure, even in well-established and respected protocols.

The Curve hack not only led to significant financial loss but also opened a dialogue about accountability, collaboration, and vigilance in decentralized systems. As the dust settles, the DeFi community must grapple with the lessons learned and the ongoing challenge of securing a world built on code.

Chapter 3: Impact, Recovery, and the DeFi Ecosystem at Risk

Source: https://blockworks.co/news/aave-curve-bad-debt

The Curve Finance exploit had profound consequences, touching individual protocols, market dynamics, governance structures, and the entire DeFi ecosystem. This chapter delves into the multifaceted impact, the recovery efforts, and the actions that put the DeFi world at risk.

At the heart of this potential crisis is Curve CEO Michael Egorov’s enormous lending position, putting an eye-watering $168 million stash of CRV, Curve’s native token, at risk.

This massive position equals almost 34% of CRV’s total market capitalization, and the sudden 20% drop in CRV’s price following the exploit has brought Egorov perilously close to liquidation levels. A forced liquidation of this magnitude could be a devastating blow to Curve and the wider DeFi economy.

Egorov’s CRV holdings are not limited to one platform. He locked up $168 million in CRV tokens on Aave, securing a $63 million loan in Tether’s USDT stablecoin. On Fraxlend, he borrowed $17 million of the FRAX stablecoin using $32 million of CRV as collateral. He also has an $18 million loan on decentralized platform Abracadabra.

Given the interconnected nature of DeFi, Egorov’s potential liquidation could create a domino effect across decentralized lending protocols, further depressing CRV’s price. CRV is a systemically important asset used across DeFi platforms like Sushi and Uniswap, and as a popular form of collateral on Aave.

To shore up his position, Egorov has been making transactions to repay some of the capital he borrowed on Fraxlend and selling LDO, the governance token for liquid staking leader Lido, for Circle’s USDC stablecoin.

This high-stakes situation has raised eyebrows and serious questions within crypto investing circles. How was a single individual able to lend such a substantial portion of a “blue chip” crypto token’s supply? Should decentralized lending protocols like Aave implement safeguards to limit large, potentially systemically risky positions like Egorov’s?

The debate over these questions comes too late for Gauntlet, a risk management firm that had already spotted Egorov’s massive CRV loans on Aave as early as January. They recommended freezing the CRV market on Aave V2 to mitigate the chances of a meltdown happening like it did on Monday

Alchemix was among the hardest-hit protocols, with the attacker managing to take 5,000 ETH, possibly leaving the alETH asset partially unbacked. Alchemix paused contracts and took preventive measures, but the market’s response was swift. CRV fell by 13.4% to $0.64, alETH traded at $1,476 relative to native ETH at $1,887, and ALCX fell about 7%.

Source: ​​https://twitter.com/PeckShieldAlert/status/1685804409610203136?s=20

Whitehat hackers played a unique role, with coffeebabe.eth returning 2,879 ETH, worth nearly $5.5 million. These funds were “ethically stolen from the hacker by front-running their malicious transaction.” The community’s dialogue, finger-pointing between development teams, and reflections by experts like Dr. Laurence Day emphasized the complexity of compilers and the assumptions made by developers.

The incident prompted a reevaluation of governance practices. Marc Zeller, the founder of Aave-Chan Initiative, stated, “Governance [is managing] this, and [the] situation gradually is getting better.” Aave’s risk reduction strategies and guidance to migrate to Aave v3 were spotlighted, showcasing the continuous evolution of risk management.

The exploit led to considerable ripple effects, with over $70 million in various digital assets hacked. The potential contagion effects were concerning, as the founder’s position “could potentially result in bad debt.” The interconnectedness of protocols, assets, and governance mechanisms revealed the delicate balance in DeFi.

The exploit’s ripple effects extended to Aave, a decentralized lending protocol that was left with roughly $1.7 million in bad debt due to an unidentified trader’s accumulated 92 million CRV token loan. The liquidation process was hindered by a lack of CRV liquidity, resulting in 385 individual mini-liquidation transactions over 50 minutes. The bad debt raised serious questions about design flaws in Aave, leading to concerns that the same exploit could be repeatable with other tokens. Aave’s native token (AAVE) temporarily dipped but later recovered, and the protocol’s response included considering changes to its liquidation threshold and potentially implementing limitations on borrowing illiquid coins. The incident underscored the urgent need for action, as one community member emphasized: “Speed is [essential] on this issue…If you can’t solve it [outright], at least mitigate this risk or communicate more.”

The recovery efforts, including whitehat interventions and market reactions, painted a nuanced picture of DeFi, where code vulnerabilities can unravel systems. The incident left lessons about vigilance, adaptability, and community collaboration. As Marc Zeller noted, the situation is “gradually getting better,” reflecting the resilience and innovation in DeFi.

The Curve Finance exploit served as a testament to the complexities and challenges of the DeFi landscape. It sparked critical conversations about accountability, collaboration, and the future of decentralized finance, where the actions of individuals, protocols, and the broader community shape an evolving and dynamic ecosystem.

Conclusion:

Source: https://cryptopotato.com/curve-finance-hacker-returns-5-4-million-but-crv-dumps-15/

The Curve Finance exploit was more than a series of attacks; it was a profound lesson in the complexities and vulnerabilities of the decentralized finance (DeFi) ecosystem. The events of that fateful day and their immediate consequences have left an indelible mark on the DeFi community.

The exploit, which led to the loss of over $70 million, was orchestrated through a vulnerability in the Vyper programming language. It affected multiple pools and had a cascading impact on protocols like Aave and Alchemix and individuals like Curve’s founder, Michael Egorov. The immediate implications included market turbulence, governance scrutiny, and a reevaluation of security measures across the DeFi space.

This incident underscored the importance of robust security measures, transparent collaboration, and trust within the DeFi community. It revealed that even well-established protocols can be vulnerable, and that trust — once eroded — can have lasting effects on investor confidence. The role of whitehat hackers and community engagement emphasized the collaborative spirit that must underpin decentralized systems.

Looking beyond the immediate impact, the Curve Finance exploit offers broader lessons about vigilance, innovation, and resilience. It has sparked critical conversations about accountability and the inherent risks of decentralization. The continuous evolution of risk management, as seen in Aave’s governance practices, hints at potential future developments in DeFi security, including enhanced auditing processes, more rigorous testing, and the establishment of industry standards.

Despite the challenges and complexities, the resilience and adaptability of the DeFi ecosystem shine through. The Curve exploit was a harsh reminder of the risks, but also a testament to the community’s ability to learn, adapt, and grow.

The Curve Finance exploit is far from a closed chapter; it’s an unfolding story that continues to ripple through the DeFi landscape. It serves as a stark reminder and an urgent call to action for all stakeholders to reinforce security, foster collaboration, and build trust. The situation is fluid, and the entire community is watching closely, understanding that the decisions made now will shape the future of decentralized finance. The challenges are real and immediate, but so is the potential for a more secure, transparent, and vibrant DeFi world. As we continue to monitor the situation, the incident stands as both a warning and a beacon, highlighting the inherent risks and the unbounded opportunities in the decentralized financial ecosystem.

Want to learn more about blockchain technology and keep informed of the latest Master Ventures news? Consider following us on Twitter and Medium!

About Master Ventures

Master Ventures is a blockchain-focused venture studio helping to build the next generation of blockchain-based Web 3.0 system innovations within the crypto industry. Launched in 2018 by Founder and CEO Kyle Chassé, the company’s ethos can best be summarized in the acronym #BeBOLD: Benevolent, Open, Love, Decentralized.

Master Ventures co-creates with entrepreneurs and businesses worldwide to turn the best ideas into innovative and disruptive products. They do this by investing as strategic partners through offering advisory services to the projects they believe in. To date, Master Ventures has invested in over 40 crypto projects, including the likes of Kraken, Coinbase, Bitfinex, Reef, DAO Maker, Mantra DAO, Thorchain, and Elrond.

For any questions, please feel free to reach out to us on:

MV Website | MV Telegram| MV Twitter

Disclaimer: Master Ventures is not responsible for the content or accuracy of any information posted on Medium and shall not be responsible for any decisions made on such information.

--

--