CurveFinance Exploited: The Impact and Aftermath

•

So... @CurveFinance was exploited this weekend... What happened? What were the impacts? All you need to know about the hack below 👇

On Sunday July 30th, a hacker drained multiple Factory Pools on Curve by exploiting reentrancy lock issues . The smart contracts were using Vyper versions 0.2.15, 0.2.16, 0.3.0. This resulted in the hacker draining over $40M.

What are factory pools? Factory pools were created for projects to permissionlessly deploy their own Curve pools with any asset. These pools can also build off other base pools on curve, dipping into the already large existing liquidity that the platform is known for.

You can read more on Factory Pools by reading Curve's docs here: resources.curve.fi/factory-pools/pool-factory#understanding-factory-pools

Notable pools that were affected are: @MetronomeDAO's msETH-ETH pool ($1.6M), @JPEGd_69's pETH-ETH (>$11M) and, @AlchemixFi's alETH-ETH pool (>$13M). 32M CRV tokens valued at $22M were also drained from the swap pool.

This exploit spooked out many users and liquidity providers of Curve. Even though the total impact of the hack was estimated to be around $40M, Curve's DEX TVL declined by $1.53B on July 30th. That's a 42% decline in TVL in one day! (Chart from @DefiLlama)

How has this impacted Curve's $crvUSD? Well, the stablecoin's TVL only declined by ~$11M, which isn't significant as seen on the chart below. This, along with the TVL charts will be very interesting to pay attention to as we evaluate participant confidence in the protocol.

$CRV prices had erratic behaviours on-chain, dipping all the way down to $0.44 on Uniswap V3 (and wicking lower at different points). The drop was less dramatic on higher liquidity centralized exchanges like Binance, dropping all the way down to $0.58.

This aggressive drop in price raised concerns over the founder's loans on Aave V2. Curve's founder @newmichwill is notoriously known for having a significant sum of USDT borrowed against his $CRV tokens on Aave. This loan has been the center of attention in the past. twitter.com/JackNiewold/status/1595126505994014720

At the time of the hack, there was over $100M USD of $CRV that would have been liquidated if $CRV dipped to $0.42. Thankfully many of those debts have been repaid throughout the day, lowering the liquidation price to ~$0.37. (As of July 30th)

Luckily, @AaveAave uses @chainlink as a price oracle for its liquidations. If the protocol depended on on-chain exchanges as oracles, there would be a good chance that a 9 figure liquidation would occur, causing serious repercussions to the DeFi ecosystem.

If you're interested in reading more about the hack, @TheBlock__ wrote a great piece on it below: theblock.co/post/242066/curve-finance-factory-pools-targeted-due-to-reentrancy-vulnerability

@DefiIgnas also covered this situation very well in his mini-thread below: twitter.com/DefiIgnas/status/1685739128015765504

Hack survivoooors @_FabianHD @pt1mfv_ @francescoweb3 @DeFiMinty @schizoxbt @Subli_Defi @0xsurferboy @rektdiomedes @chilla_ct @CryptoKoryo @2lambro @thelearningpill @0xFlips @crypto_yuvi @burstingbagel

Other DeFi heads @DAdvisoor @Louround_ @CJCJCJCJ_ @crypthoem @0xSalazar @WinterSoldierxz @jake_pahor @kindahangry @Slappjakke @arndxt_xo @CryptoShiro_ @ThisIsM1NH @crypto_linn @rektfencer @NNovaDefi @0xShinChannn @DefiIgnas @0xFastLife