Understanding the whole story of the Curve attack incident in one article, what impact has it had and how will it develop in the future?

Learn about the Curve attack incident, its impact, and future development in one article.

Original author: flumen

The event that attracted industry attention yesterday was the attack on Curve. The incident originated from an attack on the Ethereum smart contract programming language Vyper, in which the reentrancy lock in versions 0.2.15, 0.2.16, and 0.3.0 of Vyper became ineffective in the early morning of July 31st. The malicious actor used the reentrancy attack to repeatedly resign the contract, resulting in unauthorized operations or funds being stolen.

Curve, a project developed using specific versions of Vyper (Uniswap is developed using Solidity), has been attacked, including the Curve Finance among other important projects. The following is the process of the attack on Curve in the 12 hours before and after:

It is reported that four liquidity pools in the Curve ecosystem, CRV/ETH, alETH/ETH, msETH/ETH, and pETH/ETH, have been attacked, resulting in a loss of over $45 million in liquidity from the lending protocol Alchemix, synthetic asset Metronome, and NFT lending platform JPEG’d. Nearly $25 million has been drained from the CRV/ETH pool. Another pool that may be affected is the Arbitrum Tricrypto pool, but auditors and Vyper developers have not yet found any exploitable vulnerabilities. The estimated amount exploited in Curve is as high as $70 million. Some of the funds are held by white-hat hackers and MEV bots, which may be recovered.

Curve is a decentralized liquidity pool exchange on Ethereum, specializing in the exchange and swapping of stablecoins and pegged assets. Its core values are permissionlessness, low barriers to entry, composability, low-cost liquidity, and flexibility in governance. After the attack, the price of CRV hit a low of $0.583, but Curve still holds 7 million CRV (approximately $4.5 million).

Reactions after Curve’s attack

After the attack on Curve, founder Michael Egorov started on-chain collateralized loans to make up for the losses. Michael collateralized his CRV on various lending protocols and obtained a large amount of loans, with the largest loan coming from Aave. According to crypto researcher 0xLoki, Michael Egorov currently has collateralized 292 million CRV ($181 million) and borrowed $110 million, primarily distributed as follows: 1. Collateralized 190 million CRV on Aave and borrowed $65 million, with a liquidation price of $0.37; 2. Collateralized 46 million CRV on FRAXlend and borrowed 21 million FRAX, with a liquidation price of $0.4; 3. Deposited 40 million CRV on Abracadabr and borrowed $18 million, with a liquidation price of $0.39; 4. Deposited 16 million CRV on Inverse and borrowed $7 million, with a liquidation price of $0.4. As of the time of writing, dollar.eth monitoring shows that Curve founder Michael Egorov has repaid and withdrawn 7.5 million CRV from Fraxlend and sent it to a new EOA address, then received USDT from an unknown address, which may be an OTC transaction. “Based on the calculation of 2.5 million CRV per 1 million USDT, the OTC price should be $0.4.” Today, founder Michael Egorov also deployed a Curve 2 pool consisting of crvUSD and Fraxlend’s CRV/FRAX LP tokens and injected $100,000 worth of CRV incentives. This measure is seen as an attempt to incentivize liquidity to enter the lending market, reduce utilization, and mitigate the risk of debt spiraling out of control. Within 4 hours of its launch, the pool has attracted $2 million in liquidity and reduced utilization to 89%.

According to Bankless, liquidity in the CRV/ETH pool of Curve has disappeared. Once bad debts occur, the lending protocol must use insurance funds. For example, Aave will sell AAVE tokens from its safety module to make up for any shortages, but the sale will reduce the value of the remaining collateral.

In addition, if liquidity continues to decrease in Curve and other on-chain DEXs, the price will become increasingly unstable.

How is the market observing?

On the one hand, lending institutions are competing to extract funds from money market protocols. The utilization rate of Aave’s USDT pool exceeds 50%, and the borrowing rate has skyrocketed to 91%, putting enormous pressure on Michael Egorov’s position: if the interest rate does not decrease, it will be liquidated within a few days. The negative reaction caused by the attack on Curve may lead to a crisis of spreading risks in DeFi. On the other hand, industry insiders also have optimistic news. According to industry sources, “Michael has secured $55 million, enough to clear most of the debts that are close to being liquidated, and the risk is basically eliminated, so you can sleep well.” The practitioner said that $55 million is a force that brings together a community of multiple interests, and Curve will announce it later. According to Twitter @Mr. Block, major projects need veCRV, including Binance’s $BETH and $stUSDT/$USDD. There are also $stETH, $STBT, and $FRAX.

What is the future of DeFi?

It is too macro to talk about the future of DeFi. Although attacks on smart contract programming languages are rare in the DeFi field, in the past DeFi world, events such as the collapse of FTX, the closure of crypto-friendly banks, and the Luna incident have also occurred in the DeFi field. Therefore, from the perspective of the attacked programming language, the security level of blockchain is still too low.

Vyper, as the second most popular smart contract programming language, is a programming language for smart contracts, which can be compiled into bytecode that runs on the Ethereum Virtual Machine (EVM) and runs on the EVM, just like Solidity.

Whether it is based on the features developed in Python, storing local variables in memory rather than on the stack, or providing more built-in functions, for Curve, it should assess the risks of the underlying programming language (Curve contracts are more complex, and Vyper makes these complexities easier to manage and further saves gas). As a well-known DeFi project, the project party should anticipate the consequences of the attack.


The follow-up reactions to the attack on Curve are still ongoing, and the subsequent progress can be followed to understand this new field of DeFi.