The Curve Finance Hack: Explained
The Curve Finance hack is one of the most recent hacks in the DeFi ecosystem, which led to an estimated loss of over $50 million in crypto.
In this article, we look at what happened in the Curve Finance hack, share what is next for the company, and explore what this attack would mean for the DeFi industry.
Please note that while the hack has occurred, you can still buy, swap and manage your CRV tokens using Trust Wallet. Remember to always do your own research when it comes to any tokens.
Curve Finance Hack: What Happened?
On July 30, 2023, Curve Finance was hacked by unknown attackers, who reportedly stole over $50 million in cryptocurrency. The Curve Finance team and external auditors are still investigating the incident and are yet to confirm the full stolen amount.
Curve Finance is a decentralized finance protocol that people use to swap stablecoins on Ethereum without intermediaries. The protocol uses liquidity pools where people can combine and lock their assets in a smart contract. These locked assets then support the continuous trade of different digital currencies on the platform by providing liquidity. Those who lock up their assets receive periodic rewards on their assets locked up in the liquidity pools. Therefore, liquidity pools help decentralized exchanges like Curve Finance to operate efficiently.
During the hack, some stablecoin liquidity pools on Curve Finance were attacked and drained due to vulnerabilities in the pools’ coding language. The targeted pools use Vyper, a third-party programming language for smart contracts built on Ethereum. This language had undergone some upgrades in the past, yet some of its older versions, specifically version 0.2.15, were being used by the Curve Finance liquidity pools affected by the hack.
In a tweet initially issued by Curve Finance, the team stated that the hack was attributed to a malfunctioning reentrancy lock. However, the team also mentioned that they were still investigating exactly what happened before and during the hack.
Some of the stable pools affected included Metronome’s msETH/ETH pool, which was, at the time of writing, drained of up to $3.4 million, the Curve DAO drained of around $24.7 million, PEGD’s pETH/ETH pool, drained of $11 million and Alchemix’s alETH/ETH pool which was drained of $22.6 million at the time of writing.
Other than these pools, there were reports of similar attacks carried out on the BNB smart chain, leading to a loss of up to $78,000. The pools impacted by the attack were using the Vyper language, while all the other pools on Curve Finance remain safe.
While the attack is still under investigation, it has had a ripple effect on the price of CRV, Curve Finance’s DAO native token. After the attack, the price dropped by 22.18%, during the week of the attack, from an initial price of $0.73 to $0.56 at the time of writing.
The Curve Finance attack came as a surprise to the platform’s team and the DeFi space at large. However, the team is currently working on identifying and fixing the vulnerability.
One of the ways they are doing this is by advising liquidity pools to update their smart contracts to the current versions of the programming languages used to create them. These updates will help reduce the risk of a similar attack happening on the platform.
Other than the Curve Finance team, other players have helped in mitigating the attack, including white hat hackers. White hat hackers are ethical hackers who try to exploit networks or systems to identify security flaws, then recommend how companies and projects can improve their systems. An example of a white hat hacker who has helped to retrieve funds from the Curve hack is c0ffeebabe.eth. They helped to recover up to $5.4 million (3,000 ETH) of the funds stolen by using a maximal extractable value Ethereum-arbitrage trading bot to front-run the hackers.
Currently, all the people interested in the Curve Finance hack are releasing statements and ‘post-mortems.’ This information will give a full picture of what caused the attack and its effects on Curve Finance.
What Does This Attack Mean for DeFi?
While the most recent attack was centered on Curve Finance, there are bound to be ripple effects on the larger DeFi industry.
The Curve Finance hack is a loud reminder that DeFi is still a young industry with risks. Some of the risks that have come up are inefficiency in the maintenance of different protocols, evidenced by a minor flaw in a programming language that put millions of dollars worth of crypto at stake.
The hack showed that security is still an issue in DeFi and that companies invested in the industry should take extra precautions to ensure secure customer transactions.
The cyber attack could lead to stricter regulations for DeFi protocols since many governments and regulators are taking a closer look at how these protocols function. These regulations have in the past caused lawsuits in crypto, like in Ripple’s case, and may affect other companies in the space.
The reality is that risks in DeFi remain, which is part of the reason we developed the Trust Wallet Security Scanner. The Security Scanner helps to keep your Web3 experience safer by informing you of any risky transactions while ensuring you still have complete control over your digital assets.
The Curve Finance hack is a significant event in the DeFi space, which has highlighted how vulnerable these new financial protocols can still be, despite DeFi being around for several years now. Even major protocols, such as Curve Finance, can be susceptible to attacks.
As someone who uses or plans to use DeFi protocols, it’s important to stay informed about the latest developments in the DeFi market. You can also take personal steps like using a secure wallet like Trust Wallet to ensure a better experience and protect your funds.
Lastly, remember to do your own research on any current or upcoming projects or platforms before investing in or deploying capital in them.
Note: Any cited numbers, figures, or illustrations are reported at the time of writing, and are subject to change.