Unmasking the Curve Hack: A Deep Dive into the Incident

DSF Finance
4 min readSep 19, 2023

Recently, the #web3 world was shaken to its core by a major hack that targeted one of the most well-capitalized and significant projects — @CurveFinance.

Here, we will take a glance at the chronology of events — what happened, why it occurred, and what it means for the crypto world. Let’s roll!

💢July 30th — The Hack:

Curve Finance’s stablepools (alETH/msETH/pETH) fell victim to an exploit, resulting in around $70 million loss. The breach exploited a reentrancy vulnerability in Vyper versions 0.2.15, 0.2.16, and 0.3.0, which had malfunctioning reentrancy locks.

🔖 What the hack — @0xMacroSecurity wrote in a nutshell all you need to know about how reentrancy vulnerability works and even how the hack could be prevented

Read the full thread at the link https://twitter.com/0xMacroSecurity/status/1689303006359998464?s=20

💢 July 30th — Before the Storm:

CRV’s price dropped by 30%, causing a $2.3B Total Value Locked (TVL) reduction in the DeFi ecosystem, with Curve Finance’s TVL dropping by 44%.

Source: defillama.com

💢 July 31 — Edge of Chaos:

CRV experienced a severe sell-off, with its price dropping by 25%, coming close to liquidation. DeFi protocols increased interest rates for the asset. Amid the panic, Aave Ethereum v2 disabled its CRV borrowing function.

💢 July 31 — Damocles Sword:

Curve Finance’s founder had borrowed over $100 million in stablecoins on various DeFi lending protocols, backed by 47% of the circulating CRV supply, putting them near liquidation. A potential liquidation could trigger widespread DeFi consequences.

💢 July 31 — Rays of Hope:

The white hat hacker with the address ‘c0ffeebabe.eth’ returned $5.4 million to Curve’s deployer address. Another ethical hacker later returned nearly 3,000 ETH.

More details can be found here: https://twitter.com/leviathan_news/status/1690041314891747328?s=20

💢 31 July — Stars of Resilience:

The CRV token price plummeted on the DeFi market due to significant drainage from various pools. Yet, a centralized exchange (CEX) price feed ultimately saved it. Despite dropping to $0.086 on DEXs, it traded at $0.60 on CEXs, preventing a complete collapse.

Source: tradingview.com

💢 Aug 1 — Crisis Reloaded:

Curve faced another attack from a hacker who exploited a similar bug in the TriCrypto2 pool on Arbitrum. The hacker drained over $7M worth of tokens but returned them later after being contacted by the Arbitrum team.

💢 1–3 Aug — From Ashes to Alliance:

Multiple projects acquired CRV to prevent liquidation and support Curve. Notable purchasers include Justin Sun, Binance, DCFGod, Jeffrey Huang, DWF Labs, Cream Finance, Jun Du (Huobi), Marc Zeller (AAVE).

💢 3 AugFlames of Perseverance:

crvUSD briefly depegged. Curve, Metronome & Alchemix offered a 10% bounty for any returned stolen funds, with the remaining 90% to be returned by 6 Aug.

💢 4 Aug — Deceptive Lifeline:

The hacker began returning assets, but only to Alchemix and JPEGd, failing to fully refund other affected pools. In his message hacker yet stated he ”didn’t want to ruin the project”.

Source: etherscan.io

💢 6 Aug — Chasing Shadows:

The deadline was missed, and not all of the assets have been recovered. As a result, the bounty continued, and an open invitation was extended to dedox the hacker.

💢 7 Aug — Scarred Triumph:

The hacker persisted in returning funds, resulting in a total recovery of ~73% (around $52.3M) of the stolen funds. White hat hackers, MEV-bots, and the original exploiter contributed to this return. This action prevented Curve from liquidation.

💢11 Aug — Phoenix Reborn:

Investigations remained ongoing, and Curve Finance unveiled plans to refund affected users in a post-hack update.

After the Storm

So, what is this all about?

There’s a notion that the system is immature and the crypto industry risky and unsafe. But consider this: during a global crisis, major players unite and support one another. While not entirely altruistic — everyone loses if Curve fails — the system shows its ability to self-sustain.

Safety rules are learned from unfortunate experiences. No system starts perfect; strength comes from evolution and incidents like this encourage existing projects to enhance and recheck their code and security. Despite events, the system is antifragile — stress strengthens it.

Follow us on social media:

Website | Knowledge Base | LinkedIn | Twitter | Telegram

--

--

DSF Finance

DSF - DeFining successful future One-click liquidity supply and loans. We make access to the DeFi market simple and fast