Curve Finance Drained of $50M While CRV Token Sinks 12% in Latest DeFi Exploit

More than $100M-worth of cryptocurrency could be at risk due to a bug impacting Curve, a stablecoin exchange at the center of Ethereum’s DeFi ecosystem.

AccessTimeIconJul 30, 2023 at 8:25 p.m. UTC
Updated Jul 31, 2023 at 3:12 p.m. UTC

Curve, a stablecoin exchange at the heart of decentralized finance (DeFi) on Ethereum, has been the victim of an exploit according to a tweet from the project.

Curve relies on smart contracts instead of middlemen to offer financial services such as stablecoin borrowing, trading and lending to users. Depositors on Curve earn annual yields of up to 4% from one of the many pools on the platform.

Upwards of $100 million worth of cryptocurrency are at risk due to a “re-entrancy” bug in Vyper, a programming language used to power parts of the Curve system. Several stablecoin pools on the platform — used for pricing and liquidity on a number of different DeFi services — have been drained by hackers so far.

"As a result of an issue in Vyper compiler in versions 0.2.15-0.3.0, following pools were hacked: crv/eth, aleth/eth, mseth/eth, peth/eth," Curve tweeted Monday.

Reentrancy is a common bug that allows attackers to trick a smart contract by making repeated calls to a protocol in order to steal assets. A call is authorization for the smart contract address to interact with a user’s wallet address.

Other projects that use the Vyper programming language could share the same vulnerability.

It was unclear at press time how much had been drained from Curve as a result of the attack. BlockSec, a blockchain auditing firm, estimated the total losses above $42 million in a preliminary analysis posted to Twitter. Tarun Chitra, chief executive officer and founder of crypto risk modeling firm Gauntlet, estimated the exploiter made away with about $20 million of CRV and a version of ether.

Curve operates 232 different pools, according to its website, but only pools using Vyper versions 0.2.15, 0.2.16 and 0.3.0 are at risk, said mimaklas, a member of the team in a Discord announcement.

Mimaklas also said that "all affected pools have been drained or white hacked, and the team is assessing the situation with affected teams."

Elsewhere, lending and borrowing protocol Aave disabled its CRV borrowing function amid the panic. A massive $100 million CRV debt from Curve founder Michael Egorov on Aave is nearing liquidation - and if CRV prices were to continue to rise and reach the liquidation threshold, the protocols will have to liquidate the CRV positions.

Whitehat Sends Funds; CRV Sinks

Curve Finance has managed to get some money back thanks to bot operator ‘c0ffeebabe.eth’ returning 2,879 ETH, worth nearly $5.5 million at current prices, to the platform. These funds were ethically stolen from the hacker by front-running their malicious transaction.

The heist destabilized trading markets for Curve DAO’s native CRV token, which was down 17% on the day at a price of $0.61 as of press time. That price action threatened to compound the chaos by potentially forcing a liquidation on the founder of Curve’s $70 million borrowing position on Aave.

Meanwhile, the total value of assets locked on Curve nosedived to $1.7 billion on Monday from more than $3 billion on Sunday, according to data provider DeFiLlama, as investor capital likely fled the exchange.

UPDATE (July 30, 2023, 21:25 UTC): Adds additional information.

UPDATE (July 30, 2023, 09:30 UTC): Updates with latest comments from Curve, contagion effects on Aave, drop in Curve DeFi value, and explains reentrancy attack.

Edited by Kevin Reynolds and Nikhilesh De.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Sam Kessler

Sam is CoinDesk's deputy managing editor for tech and protocols. He reports on decentralized technology, infrastructure and governance. He owns ETH and BTC.

Danny Nelson

Danny is CoinDesk's Managing Editor for Data & Tokens. He owns BTC, ETH and SOL.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.