Curve, a stablecoin exchange at the heart of decentralized finance (DeFi) on Ethereum, has been the victim of an exploit according to a tweet from the project. Upwards of $100 million worth of cryptocurrency is at risk due to a “re-entrancy” bug in Vyper, the programming language used to power parts of the Curve system. Several stablecoin pools on the platform have been drained by hackers.
Other projects that use the Vyper programming language could share the same vulnerability. BlockSec, a blockchain auditing firm, estimated the total losses above $42 million in a preliminary analysis posted to Twitter. It was unclear how much had been drained from Curve as a result of the attack.
Curve operates 232 different pools, according to its website, however, only pools using Vyper versions 0.2.15, 0.2.16 and 0.3.0 are at risk, said mimaklas, a member of the team in a Discord announcement. The team member also said that “all affected pools have been drained or white hacked, and the team is assessing the situation with affected teams.”
The heist destabilized trading markets for Curve DAO’s native CRV token, which was down 17% on the day at a price of $0.61 as of press time. This could force a liquidation on the founder of Curve’s $70 million borrowing position on Aave.
UPDATE (July 30, 2023, 21:25 UTC): Adds additional information.