Curve Finance TVL falls over $1B following Vyper vulnerability exploit
Curve's CRV token became highly volatile following the attack, prompting fears of a contagion.
The total value of assets locked on decentralized finance protocol Curve Finance (CRV) plunged nearly 50% in the last 24 hours to $1.731 billion from $3.26 billion recorded on July 30, according to DeFiLlama data.
The exodus can be attributed to an exploit of the protocol, which increased fears of liquidation and bad debt among community members who immediately withdrew their assets from the crypto project.
Vyper vulnerability affects Curve Finance
On July 30, a malfunctioning ‘reentrancy locks vulnerability’ was found on multiple versions of Vyper, a smart contract language for the Ethereum (ETH) virtual machine (EVM). The programming language confirmed the incident, revealing that crypto projects running Vyper 0.2.15, 0.2.16, and 0.3.0 could be impacted.
Following the news, Curve Finance stated that some of its stable pools running Vyper 0.2.15 had exploited the malfunctioning reentrancy lock vulnerability.
A reentrancy attack allows an attacker to drain funds of a vulnerable contract by repeatedly calling the withdraw function before it updates its balance. This attack has been commonly used to exploit several DeFi protocols.
BlockSec, a blockchain security firm, said the reentrancy attack could potentially risk all pools with wrapped Ether (WETH).
While it was unclear how much was stolen from Curve Finance’s stablecoin pools, some estimates suggest that as much as $70 million might have been stolen.
However, a MetaMask developer, Taylor Monahan, noted “lots of whitehat activity + automated MEV bots,” meaning the amount might be lesser.
CRV’s price tank
The exploit has made Curve’s CRV token highly volatile, with its price dumping by around 15% to $0.64707 at the time of writing, according to CryptoSlate’s data.
Meanwhile, CRV’s on-chain value hit lows of $0.109 as liquidity tapered off after the CRV/ETH pool was attacked.
South Korean crypto exchange Upbit suspended deposits and withdrawals for the token, citing vulnerabilities discovered on the DeFi project’s platform. The exchange further warned that CRV’s price was “experiencing significant volatility.”
Bad debt and contagion fears
With hackers holding a significant amount of CRV, there are concerns that the token’s price might fall further if they start selling. This presents a contagion risk because Curve founder Michael Egorov used the token as collateral on several lending protocols, including Aave.
With Egorov having over $100 million in CRV as collateral on Aave, Inverse, and Abracadabra, a liquidation due to a drop in CRV price will affect Curve and all the protocols.
To avoid liquidation, Egorov has been paying down some of the loans. However, this might not prevent bad debt and spillover effects for other lending protocols exposed to Curve.
Meanwhile, Aave Ethereum v2 version has turned off the CRV borrowing function. Wu Blockchain reported that this was probably done to prevent traders from using the Curve vulnerability to panic and the malicious shorting of borrowed CRV to promote serial liquidation.