Curve Finance’s $62M exploit exposes larger issues for DeFi ecosystem
Hackers stole around $62 million from Curve Finance on Sunday, causing a ripple effect throughout the crypto sector and raising questions about the strength of the decentralized finance ecosystem.
Curve is one of the largest decentralized exchanges (DEX) in the crypto market today, with about $1.67 billion in total value locked (TVL), according to data on DeFi TVL aggregator DeFiLlama.
A handful of DeFi projects’ pools were also hacked, including PEGd’s pETH/ETH: $11 million; Metronome’s msETH/ETH: $3.4 million; Alchemix’s alETH/ETH: $22.6 million; and Curve DAO: around $24.7 million, according to Llama Risk’s post-exploit assessment.
A bug found in older versions of the Vyper compiler contract programming language caused a failure in a security feature used by a handful of Curve liquidity pools. An admin in Curve Finance’s Telegram group declined to comment further to TechCrunch+ and referred us back to the post-exploit assessment.
By crypto standards, this wasn’t considered a “big” hack; Curve is a massive DEX, and this hack makes up about 4% of its TVL. A portion of the exploit was done by white hat hacker user c0ffeebabe.eth, who returned 2,879 ether, roughly $5.4 million, to Curve, according to on chain data.
But this exploit isn’t the only problem Curve — and the broader crypto space — is facing.
Curve founder Michael Egorov has a $100 million loan backed by 427.5 million of the DEX’s token, CRV. That’s around 47% of the entire circulating supply of CRV, according to Delphi Digital, a research and data platform. The token’s price dropping could spell bad news for the health of Curve, and could create even more volatility in the broader DeFi ecosystem.
Egorov borrowed about 63.2 million tether from Aave, against collateral of 305 million CRV which will be liquidated if the CRV/USDT pair drops to 37 cents, Delphi wrote. As it stands, CRV is down 19% to 59 cents from 73 cents before the Sunday attack, according to CoinMarketCap data.