Curve Finance TVL drops more than $1 billion due to Vyper exploit

After the attack, Curve’s CRV token became highly volatile, raising fears of contagion.

According to DeFiLlama data, the total value of assets locked in the decentralized financial protocol Curve Finance (CRV) has plummeted by nearly 50% in the past 24 hours, from $3.26 billion recorded on July 30 to $1.731 billion.

The outflow of funds can be attributed to the exploitation of the protocol, which increased the concerns of liquidations and bad debts among community members, who immediately withdrew assets from the crypto project.

Source: DefiLlama

Vyper Vulnerability Affects Curve Finance

On July 30, a faulty "reentrancy lock vulnerability" was discovered on multiple versions of the Ethereum (ETH) Virtual Machine (EVM) smart contract language Vyper. The programming language confirmed the incident, revealing that crypto projects running Vyper 0.2.15, 0.2.16, and 0.3.0 may be affected.

Following the news, Curve Finance stated that some of its stable mining pools running Vyper 0.2.15 exploited a reentrancy lock failure vulnerability.

The reentrancy attack allows an attacker to drain funds of a vulnerable contract by repeatedly calling the withdrawal function before updating the balance, and this attack is commonly used to exploit multiple DeFi protocols.

Blockchain security firm BlockSec said reentrancy attacks could pose a potential risk to all mining pools with wrapped ether (WETH).

While it's unclear how much was stolen from Curve Finance's stablecoin pool, some estimates suggest as much as $70 million may have been stolen.

However, MetaMask developer Taylor Monahan pointed to "lots of white hat activity + automated MEV bots," which means there could be fewer.

CRV Price Tank

According to the data, the bug caused Curve’s CRV token to be highly volatile, with its price plummeting around 15% to $0.64707 at the time of writing.

Meanwhile, CRV’s on-chain value dropped to a low of $0.109 as liquidity dwindled after the CRV/ETH pool was attacked.

South Korean cryptocurrency exchange Upbit suspended deposits and withdrawals of the token, citing a bug found on the platform of the DeFi project. The exchange further warned that the price of CRV is “experiencing significant volatility.”

Bad debt and sprawl concerns

Since the hackers are holding a large amount of CRV, there are fears that if they start selling, the price of the token may drop further. This creates a risk of contagion, as Curve founder Michael Egorov uses the token as collateral on several lending protocols, including Aave.

Since Egorov has more than $100 million in CRV as collateral on Aave, Inverse, and Abracadabra, a liquidation resulting from a drop in CRV prices will affect Curve and all protocols.

To avoid liquidation, Egorov has been repaying part of the loan. However, this may not prevent bad debt and spillover effects on other lending agreements to which Curve is exposed.

At the same time, the Aave Ethereum v2 version has closed the CRV lending function. According to reports, this is likely to prevent traders from using the Curve vulnerability to panic and maliciously short the borrowed CRV to promote serial liquidation.