Hackers stole around $62 million from Curve Finance on Sunday, causing a ripple effect throughout the crypto sector and raising questions about the strength of the decentralized finance ecosystem.
Curve is one of the largest decentralized exchanges (DEX) in the crypto market today, with about $1.67 billion in total value locked (TVL), according to data on DeFi TVL aggregator DeFiLlama.
A handful of DeFi projects’ pools were also hacked, including PEGD’s pETH/ETH: $11 million; Metronome’s msETH/ETH: $3.4 million; Alchemix’s alETH/ETH: $22.6 million; and Curve DAO: around $24.7 million, according to LlamaRisk’s post-exploit assessment.
A bug found in older versions of the Vyper compiler contract programming language caused a failure in a security feature used by a handful of Curve liquidity pools. An admin in Curve Finance’s Telegram group declined to comment further to TechCrunch+ and referred us back to the post-exploit assessment.
By crypto standards, this wasn’t considered a “big” hack; Curve is a massive DEX, and this hack makes up about 4% of its TVL. A portion of the exploit was done by white hat hacker user c0ffeebabe.eth, who returned 2,879 ether, roughly $5.4 million, to Curve, according to on chain data.
But this exploit isn’t the only problem Curve — and the broader crypto space — is facing.
Curve founder Michael Egorov has a $100 million loan backed by 427.5 million of the DEX’s token, CRV. That’s around 47% of the entire circulating supply of CRV, according to Delphi Digital, a research and data platform. The token’s price dropping could spell bad news for the health of Curve and could create even more volatility in the broader DeFi ecosystem.
Egorov borrowed about 63.2 million tether from Aave Protocol V2, against collateral of 305 million CRV, which will be liquidated if the CRV/USDT pair drops to 37 cents, Delphi wrote. As it stands, CRV is down 19% to 59 cents from 73 cents before the Sunday attack, according to CoinMarketCap data. (Aave reached out to TechCrunch post-publication to note that its latest update released this January would make similar actions harder to take.)
Next in store
If Egorov hits that liquidation level, it could result in the CRV collateral backing the loan being sold off into an already shaky market, creating even more volatility in the broader DeFi ecosystem.
In November 2022, Curve Finance tweeted that both Solidity and Vyper are “good” if the code is well written and tested, and errors usually come from developers of the contract, not compilers. “But compilers are not bug-free,” Curve also wrote. One ApeWorX developer and Vyper contributor tweeted that code compilers don’t get “reviewed or audited as much as you think.”
In general, whenever any code-based system or project is updated, it should be audited and battle tested to avoid situations where exploits can occur. But that’s not always the case, especially in the crypto ecosystem where security isn’t always prioritized by many entities, both small and large.
However, security levels of crypto projects have improved significantly in the past few years, Ronghui Gu, CEO and co-founder of security-focused auditing firm CertiK previously told TechCrunch+. Before the decentralized finance wave, or “DeFi Summer,” in 2020, most projects only did audits to launch tokens, Gu said. “Now I’d say most projects are audited.”
One would expect that some of the biggest DeFi protocols like Curve would have security measures in place, even for automated smart contracts that execute without a middleman. But Curve’s vulnerability came from the Vyper compiler that reads the code, not its smart contract code. So who’s really to blame here? There’s not really one answer. Again, Curve declined to comment.
As Curve’s exploit shows, nothing is 100% certain and code updates can create significant opportunities for bad actors. (This is not new; recall Microsoft Windows operating system’s history of new versions, and new exploits.)
“Another pool potentially affected is Arbitrum’s Tricrypto pool,” the LlamaRisk report stated. “Auditors and Vyper devs could not find a profitable exploit, but Curve is advising LPs to exit that pool as a precaution.”
Going forward
Aside from the obvious multimillion-dollar hole left in the Curve community, there’s potential that the bigger crypto ecosystem will see more aftereffects given the potential for Egorov’s liquidation. Other exploits may also be waiting in the shadows if others using the Vyper code don’t act fast enough to fix the vulnerability.
The DeFi market has over $40 billion in TVL, according to DefiLlama, meaning that there’s potential for serious damage if contagion spreads across the ecosystem. If Egorov’s position gets liquidated, any DeFi protocol and project that integrate CRV tokens as collateral are at risk of being affected, possibly unleashing a domino effect.
Some crypto market players, like Tron founder Justin Sun, announced that they stepped in to “partner” with Curve. A crypto wallet linked to Sun acquired about 5 million CRV tokens from Egorov for $2 million USDT in a likely over-the-counter deal, according to security firm PeckShield.
By buying CRV tokens, one could speculate that it was done to help prevent the token from crumbling further, but we’ll see if Sun’s actions, and others’, hold up the cryptocurrency’s price enough.
To get a roundup of TechCrunch’s biggest and most important crypto stories delivered to your inbox every Thursday at 12 p.m. PT, subscribe here.
