Curve Exploited for $41M Due to Vyper Vulnerability

  • Versions 0.2.15, 0.2.16, and 0.3.0 of Vyper have malfunctioning reentrancy locks, which left smart contracts compiled with them vulnerable to reentrancy attacks.
  • An estimated 460 contracts were compiled using these versions of Vyper which resulted in millions being lost to attacks, with Curve Finance reportedly losing $41 million.


Decentralized finance (DeFi) platform Curve Finance had some of its stablepools exploited for $41 million in crypto due to a vulnerability in some versions of Vyper, the platform said via Twitter (now X) on 30 July.

In a separate announcement, the team behind Vyper — a third-party programming language for Ethereum smart contracts — warned the community that versions 0.2.15, 0.2.16, and 0.3.0 did not correctly implement a guard that prevents multiple functions from being executed, and as such left some pools vulnerable to reentrancy attacks. An analysis from security firm Ancilia suggests that over 450 contracts were compiled using the affected versions of Vyper.

While it remains unclear how much was lost due to the attack on the affected pools, a member of Curve’s team revealed on Discord that “all affected pools have been drained or white hacked, and the team is assessing the situation with affected teams”. The CEO of Curve, Michael Egorov, confirmed via Telegram that close to $22 million worth of CRV tokens were drained from swap pools. Security firm BlockSec, however, has estimated that the overall asset outflow connected to the security incident was closer to $41 million.

Curve Finance was not the only DeFi platform to be affected by the security vulnerability. Decentralized exchange Ellipsis saw a small number of stablepools with BNB exploited using the Vyper vulnerability. Alchemix’s alETH-ETH, JPEGd’s pETH-ETH, and Metronome’s sETH-ETH pools also saw significant outflows. Security firm BlockSec also reported that the BNB Smart Chain (BSC) also suffered a copycat attack using the Vyper vulnerability, with the attacker stealing close to $73,000 worth of crypto.

Ever since news of the exploit broke out, whitehat hackers have been attempting to disrupt a number of exploit attempts, as well as recover as much of the lost funds as possible. A whitehat hacker known as “c0ffebabe.eth” was able to drain some funds for safekeeping, and later returned close to 2,000 ETH (over $5 million) to the Curve platform. She also moved another 1,000 ETH to a newly-created wallet, presumably a cold wallet for safekeeping.

Related Coverage
Unibot to Compensate Users Affected by Exploit
  • Popular Telegram bot Unibot, which is used to snipe trades on Uniswap, became a victim of a token approval exploit earlier today, when it was switching to a new router.
  • After confirming the exploit, Unibot assured users that their keys and wallets were safe, and that the project will compensate all affected users.
October 31, 2023, 3:01 PM


Balancer Exploited After Giving Warning
  • DeFi protocol Balancer confirmed it was exploited almost a week after disclosing a critical vulnerability affecting several of its boosted pools.
  • The platform did its best to mitigate some of the risks but was unable to pause the affected pools, and an estimated $980,000 in DAI were stolen in an attack.
Kroll Data Breach Compromises FTX, BlockFi Customer Information
  • A cyber security incident at bankruptcy service provider Kroll has resulted in the exposure of “non-sensitive” customer data for claimants involved in the FTX and BlockFi cases.
  • Both companies confirmed that account passwords, systems, and funds remained safe, but warned customers to be on the lookout for phishing scams.