CRV token on a slippery slope following Curve hack

The Curve Dao Token (CRV) has been on the decline since Sunday after Vyper devs identified a curve hack on a number of stablepools. Vyper took to Twitter on July 30 and stated that “PSA: Vyper versions 0.2.15, 0.2.16 and 0.3.0 are vulnerable to malfunctioning reentrancy locks. The investigation is ongoing, but any project relying on these versions should immediately reach out to us.”

Curve Finance immediately acknowledged the hack and in a follow-up tweet said:

‘A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop. Other pools are safe.”

Specific pools affected by the Curve hack

While Curve Finance initially stated that three pools had been affected by the Curve hack, the decentralized finance (DeFi) platform has today acknowledged that the crv/ETH pool was also affected; bringing the total number of affected pools to four.

While Curve Finance has urged that the hacker(s) have not been able to access the funds in the hacked pools, the platform has asked its users to withdraw their funds from these pools as a precaution just in case the hacker outsmarts its auditors and Vyper developers.

How did the hacker exploit Curve Finance?

Most people including developers acknowledge that the Curve hack is not something a typical researcher would have looked for. The hacker “dug deep” into the protocol’s release history to find an exploitable issue for the protocol that has many millions at stake. The hacker definitely used a significant amount of time to identify the vulnerability.

Curve has pointed out that the best way to avoid being caught up in the mess is by migrating to contracts that use the most recent versions. In a tweet, Curve Finance said that “Vyper 0.3.7+ was well refactored and audited. This is not a guarantee (nothing is), but better to be migrating to contracts using the most recent versions”