Curve Finance Has Recovered 70% Of Hacked Funds, With Distribution Planned

5uhB...Zmmt
13 Aug 2023
311


Curve Finance, one of the leading decentralized finance (DeFi) protocols, has announced significant progress in its recovery efforts following a recent hack that resulted in losing $73.5 million across several projects within its factory pools. The attack on July 30 exploited a critical security flaw known as a “reentrancy vulnerability”, allowing malicious actors to drain funds from Curve’s smart contracts. In this article, I will explain what happened, how Curve responded, and what are the next steps for the protocol and its users.


What is Curve Finance?

Curve Finance is an automated market maker (AMM) protocol designed for swapping between stablecoins with low fees and slippage. It’s a decentralized liquidity aggregator where anyone can add their assets to several different liquidity pools and earn fees. Curve also has its own governance token, CRV, which is used for staking, voting and boosting.

Curve Finance offers various types of pools, such as base pools, meta pools, and pools with interest-bearing assets. Base pools consist of tokens that have the same peg, such as stablecoins (e.g. USDC, USDT, DAI) or variations of an asset (e.g. WBTC, renBTC). Meta pools pair a token with another base pool to form a new pool, such as the GUSD meta pool with GUSD and the 3pool (3Crv). Pools with interest-bearing assets use tokens that automatically rebalance to the highest yielding protocol, such as yTokens (e.g. yDAI, yUSDC) or aTokens (e.g. aUSDC, aUSDT).


What happened in the hack?

On July 30, 2023, several stable pools on Curve Finance were exploited due to malfunctioning reentrancy locks on several versions of the Vyper programming language. The reentrancy lock is a security mechanism that prevents a function from being called again before it finishes executing. However, due to a bug in the Vyper compiler, the lock was not applied correctly in some cases, allowing an attacker to call the same function multiple times and withdraw more funds than they should.

The hacker used a smart contract to interact with Curve’s pools and execute a series of swaps and withdrawals that drained the funds from the pools. The affected pools were:

  • Alchemix’s pool: lost $13.6 million
  • JPEGd’s pool: lost $11.4 million
  • Metronome’s pool: lost $1.6 million
  • Lido’s pool: lost $10.4 million
  • Frax’s pool: lost $7.4 million
  • Iron Bank’s pool: lost $6.1 million
  • sETH’s pool: lost $5.6 million
  • sBTC’s pool: lost $4.2 million
  • RSV’s pool: lost $3.6 million
  • EURS’s pool: lost $2.8 million
  • USDN’s pool: lost $2.7 million
  • hBTC’s pool: lost $2.6 million
  • BUSD’s pool: lost $1.8 million

The total amount stolen was estimated to be around $73.5 million at the time of the attack.


How did Curve respond?

Curve Finance quickly reacted to the incident and deployed emergency patches to fix the vulnerability and prevent further attacks. The team also contacted the hacker and offered a 10% bounty reward for returning 90% of the stolen funds. The hacker accepted the offer and initiated a partial refund, transferring funds to the Alchemix Finance developer wallet instead of directly to Curve Finance.

As of August 12, 2023, Curve Finance has successfully retrieved 70% of the funds affected by the hack, amounting to around $50 million. The remaining 30% is still being actively investigated and pursued by the team and external auditors.

Curve Finance has also committed to a restitution process for the hacked funds, promising to distribute them back to the affected users as soon as possible. The team has published a detailed post-hack update explaining how they plan to do so.

According to the update, Curve Finance will use a snapshot of balances before the hack to calculate how much each user is owed. The users will then be able to claim their share of the recovered funds through a special interface on Curve’s website. The team expects to launch this interface by August 16, 2023.

The distribution will be done in two phases:

  • Phase 1: Users will receive their share of the recovered funds in proportion to their losses.
  • Phase 2: Users will receive their share of any additional funds that are recovered in the future.

The team also stated that they will cover any remaining losses with their own funds if necessary.


What are the next steps for Curve and its users?

Curve Finance has demonstrated remarkable resilience and transparency in handling this crisis and restoring confidence in its protocol. The team has shown its commitment to user protection and the broader DeFi community by offering a generous bounty, recovering most of the funds, and pledging to distribute them back to the users.

The next steps for Curve Finance are to finalize the distribution process, continue the investigation, and implement more security measures to prevent future attacks. The team has also announced that they will launch a new version of the protocol, Curve V2, which will introduce new features and improvements.

The next steps for Curve users are to monitor the updates from the team, claim their share of the recovered funds when the interface is ready, and continue to enjoy the benefits of providing liquidity and earning fees on Curve Finance.


Conclusion

Curve Finance is one of the most popular and innovative DeFi protocols, offering low-cost and low-slippage swaps between stablecoins and other pegged assets. However, it was recently hacked due to a bug in the Vyper compiler, resulting in a loss of $73.5 million across several pools. Curve Finance responded swiftly and effectively, recovering 70% of the funds and planning to distribute them back to the users. Curve Finance has also announced a new version of the protocol, Curve V2, which will bring more features and security.

I hope you enjoyed this article and learned something new about Curve Finance and its recovery efforts. If you did, please share it with your friends and leave a comment below. We would love to hear your thoughts and feedback. Thank you for reading!


Sources:

  • (1) DeFi Protocol Curve.Finance Gets Hacked and $570K Is Stolen - CoinDesk | CoinDesk.
  • (2) Ethical hacker retrieves $5.4M for Curve Finance amid exploit | Cointelegraph.
  • (3) The Curve Finance Hack: Explained | Trust Wallet | Trust Wallet Blog.
  • (4) Unraveling the Curve Finance Hack, the Causes and Its Impact | DailyCoin.
  • (5) Curve Finance Pledges Refunds Following $62 Million Hack | Cryptopolitan.
  • (6) Curve Finance Resurgence: 70% Of Stolen Funds Recovered ... - CoinMarketCap | CoinMarketCap.
  • (7) Curve Finance Retrieval: 70% Of Hacked Funds Recovered ... - CoinMarketCap | CoinMarketCap.
  • (8) Curve Finance Resurgence: 70% Of Stolen Funds Recovered ... - NewsBTC | NewsBTC.
  • (9) Curve Finance recovers all stolen funds from hacker | Cryptopolitan.
  • (10) Curve Finance Resurgence: 70% Of Stolen Funds Recovered ... - TradingView | TradingView.
  • (11) Guide to Curve Finance and CRV - Medium | Medium.
  • (12) Distributions in Finance – Riskprep | Riskprep.
  • (13) Guide to Curve Finance and CRV - Medium | Medium.
  • (14) What Is Curve Finance in DeFi? | Binance Academy | Binance Academy.


Read My Latest Posts :



If you enjoyed this topic, Show your support by reacting and leaving a comment below. Let us know your thoughts, or any additional ideas related to this discussion.


Write & Read to Earn with BULB

Learn More
Enjoy this blog? Subscribe to Time

12 Comments

B
No comments yet.
Most relevant comments are displayed, so some may have been filtered out.