Curve Finance

On July 30, 2023, Curve Finance, a decentralized automated market maker (AMM) on Ethereum, was hacked, resulting in a $47 million loss of CurveDAO (CRV), ETH, and wETH, as reported by Merkle Science. Detected at 10:00 UTC, the attack exploited a reentrancy vulnerability in Vyper programming language versions 0.2.15, 0.2.16, and 0.3.0, affecting stablepools like alETH ($13.6 million), msETH, pETH, JPEG’d ($11.5 million), and MetronomeDAO ($130,000), with $19.7 million drained from the CRV/ETH pool, per Merkle Science.

The attacker repeatedly called the “withdraw_with_fee” function, siphoning funds from pools including 3CRV and USDT/USDC, per Twitter (@CurveFinance). Curve, with $1.8 billion in total value locked per DefiLlama, saw swift action from ethical hackers, with “c0ffeebabe.eth” recovering 2,800 ETH ($5.4 million) via a front-running bot, returned to Curve’s deployer address, per Merkle Science.

A copycat attack on Binance Smart Chain caused a $73,000 loss. Curve’s CEO, Michael Egorov, confirmed over 32 million CRV ($22 million) was stolen, sparking DeFi panic, per Twitter (@VyperLang).

No significant fund transfers were observed from exploiter addresses, and fake refund scams emerged, per Merkle Science. One of 299 DeFi hacks in 2023, costing $2.6 billion, per Chainalysis, the incident, following Ronin’s $624 million loss, fueled calls for rigorous smart contract audits, pre-audited code, and real-time vulnerability monitoring to secure DeFi platforms.