Blockchain News

Exploit Hits Curve, Draining Upwards of $100 Million from Stablecoin Pools

Curve, a leading stablecoin exchange entrenched in the decentralized finance (DeFi) realm on Ethereum, finds itself grappling with a distressing exploit. The project’s official Twitter account recently disclosed the unfortunate news, revealing that hackers have taken advantage of a critical vulnerability. The exploit, stemming from a “reentrancy” bug in Vyper, a programming language integral to parts of the Curve system, has placed over $100 million worth of cryptocurrency at serious risk. Specifically, the hackers have successfully targeted various stablecoin pools on the platform, effectively depleting them of their assets.

The repercussions of this breach extend beyond Curve alone, as several other projects relying on the Vyper programming language might also share the same vulnerability. The incident has raised concerns and led to heightened scrutiny across the DeFi space.

Despite the gravity of the situation, the precise extent of the damages remains unclear at this juncture. BlockSec, a reputable blockchain auditing firm, took to Twitter to offer an initial analysis, estimating the total losses to exceed $42 million. However, as investigations are still underway, these figures might change.

At present, Curve operates a staggering 232 distinct pools, all of which play a crucial role in pricing and liquidity across numerous DeFi services. In response to the exploit, the Curve team swiftly identified the pools at risk, namely those utilizing Vyper versions 0.2.15, 0.2.16, and 0.3.0. They promptly notified the community through a Discord announcement, ensuring transparency and providing necessary updates.

As of this report, the situation has prompted a significant downturn in the trading markets for Curve DAO’s native CRV token. In fact, the token’s value plummeted by 17% in a single day, trading at a worrisome price of $0.61. Such sharp declines may exacerbate the chaos, posing potential liquidity risks and even a potential liquidation on the founder of Curve’s $70 million borrowing position on Aave.

The immediate aftermath of the exploit has shaken the DeFi landscape, raising questions about the security measures in place and the robustness of the Vyper programming language. Analysts and experts are closely monitoring the developments, as the fallout could extend to other projects within the DeFi space.

To safeguard the interests of stakeholders and protect the integrity of the DeFi ecosystem, it is essential that all affected projects and teams diligently assess the situation and take appropriate actions to prevent further exploits. The incident underscores the importance of rigorous security audits and thorough testing of smart contracts and protocols within DeFi platforms.

While the exact path forward remains uncertain, the crypto community is hopeful that proactive measures and cooperation among DeFi projects will mitigate future risks and maintain the long-term viability of the ecosystem.


Crypto products and NFTs are unregulated and can be highly risky. There may be no regulatory recourse for any loss from such transactions. Crypto is not a legal tender and is subject to market risks. Readers are advised to seek expert advice and read offer document(s) along with related important literature on the subject carefully before making any kind of investment whatsoever. Crypto market predictions are speculative and any investment made shall be at the sole cost and risk of the readers.