Blogs
The Curve DAO Exploit: Understanding the Vulnerability in DeFi
DAO News
Decentralized Finance (DeFi) has revolutionized the financial landscape, offering users the ability to engage in various financial activities without intermediaries. However, as with any innovative technology, vulnerabilities can arise, leading to potential exploits. On July 30, Curve Finance, a decentralized exchange on Ethereum, fell victim to a hack due to a vulnerability in certain pools built using the Vyper programming language. The price of Curve DAO (CRV) dropped 20.91% on the day of the hack, plummeting to a two-month low of $0.58.
The following day, the decline in CRV continued to a seven-month low of $0.48, fueled by fears of liquidation of hefty loans worth $100 million taken by Curve Finance founder Michael Egorov against CRV as collateral.
The Hack and Its Aftermath
Curve Finance, known for its efficient stablecoin trading capabilities, experienced a significant breach on July 30, 2023. The exploit targeted the CRV/ETH pool, resulting in the loss of approximately 7 million CRV tokens and $14 million worth of wrapped ether (WETH). The breach occurred within the CRV/ETH pool on Curve Finance, a prominent decentralized exchange (DEX) renowned for its streamlined stablecoin trading capabilities.
This incident sent shockwaves through the DeFi community, exposing a vulnerability that extended beyond Curve Finance itself. The hack highlighted a flaw in certain pools built using the Vyper programming language , raising concerns about the broader DeFi ecosystem's security.
The DeFi Community's Response
In response to the crisis, Egorov sold 39.25 million CRV tokens for stablecoins to a number of notable decentralized finance investors like Justin Sun, Machi Big Brother, and DWF Labs for a total of $15.8 million. Egorov also partially paid his Tether loans on Aave, reducing the principal from $63.20 million to $54.1 million. This partial repayment of the loan comes as a positive step in reducing the liquidation risk.
The Underlying Vulnerability
The hack was made possible due to a critical vulnerability that has repercussions across various pools, stemming from a bug found in earlier versions of the Vyper programming language. As security firm Ancilia probes deeper into the situation, the full scope of the vulnerability comes to light. According to their analysis, many contracts were exposed to potential risks. Specifically, 136 contracts relied on Vyper 0.2.15 with reentrant protection, 98 contracts were built using Vyper 0.2.16, and 226 contracts employed Vyper 0.3.0.
The Market Impact
The CRV/USD pair is trending near multiyear lows at around $0.50. If buyers are able to build support at this level, the price can rally in the short to medium term toward the horizontal resistance levels of $0.78 and $1.23. However, the risk is still not eliminated completely. The hackers are still sitting on 7.1 million CRV tokens worth $4.5 million. If the attackers convert their holdings into stablecoins or more liquid tokens such as Bitcoin or Ether, the price may revisit this week’s low, around $0.48.
Efforts to Save Curve DAO: White Hat Operations and Loan Repayment
In the face of the exploit, the DeFi community rallied to mitigate the damage and protect the funds at risk. A white hat rescue operation was initiated, but unfortunately, the exploit occurred just moments before its execution. However, there were some positive developments amidst the chaos. Egorov sold 39.25 million CRV tokens to notable DeFi investors at a discounted price of $0.40 per token, raising $15.8 million. This infusion of funds helped to alleviate some of the immediate liquidity concerns. Additionally, Egorov made partial repayments on his Tether (USDT) loans on Aave, reducing the principal from $63.20 million to $54.1 million, reducing the risk of liquidation.
Potential for a Short Squeeze: Contrarian Bet on CRV
The derivatives market surrounding CRV tokens provided an interesting glimpse into the sentiment of traders. The funding rate for CRV perpetual swaps, which represents the demand for long or short positions, fell to -0.1% for eight-hour intervals. This indicated that traders were actively shorting CRV, anticipating further price declines. However, this scenario also raises the potential for a short squeeze, where short holders are forced to buy CRV as its price rallies, exacerbating the upward movement.
The Future of DeFi and Curve DAO
The Curve Finance exploit serves as a stark reminder of the importance of robust security measures in the DeFi space. The vulnerability in Vyper highlights the need for thorough code audits and rigorous testing, particularly when utilizing less widely adopted programming languages. It also underscores the significance of prompt communication and responsible disclosure of vulnerabilities to minimize the potential for further attacks. As the DeFi ecosystem continues to evolve, it is crucial for developers, auditors, and users to prioritize security and collaborate to strengthen the overall resilience of decentralized financial systems.The situation has drawn security analysts’ attention, with BlockSec revealing that the renowned cryptocurrency exchange, Binance, funded the wallet employed in the attack.
The Exploit and its Financial Implications
The exploit on Curve Finance was significant, leading to an estimated loss of between $42-$47 million, according to blockchain auditing firm BlockSec. This breach shook the entire DeFi ecosystem, resulting in a substantial decline in the Total Value Locked (TVL) across all DeFi protocols. As a stark example, Curve Finance's TVL fell by a staggering 44% to $1.8 billion.
Additionally, the native token of Curve Finance, CRV, experienced a slump of 16%. At the time of writing, it stands at a value that is 96% below its all-time high. These sobering figures underscore the severity of the situation and hint at the profound implications for the broader DeFi ecosystem.
The Debt Crisis of Curve Finance Founder
An alarming aspect of the exploit is the significant debt accumulated by Curve Finance's founder, Michael Egorov. With his loans backed by about 47% of the total circulating supply of the protocol's native token (CRV), Egorov has accumulated a staggering $100 million in debt across various lending protocols. The severity of Egorov's financial obligations could potentially place further stress on the already strained DeFi ecosystem, leading to increased volatility and uncertainty among participants.
However, Egorov's swift response to the crisis, selling CRV tokens and partially repaying his Tether loans, has helped to mitigate some of the immediate financial risks. His actions, combined with support from key stakeholders within the DeFi community, have provided a degree of stability in these challenging times.
This unfolding situation serves as a stark reminder of the inherent risks within the DeFi space. The potential for future vulnerabilities necessitates an ongoing commitment to robust security measures, stringent code audits, and thorough testing protocols. Developers, auditors, and users alike must work together to reinforce the integrity and resilience of the DeFi ecosystem, ensuring it continues to provide a safe, reliable alternative to traditional financial systems.
What’s Next?
The Curve DAO exploit revealed a critical vulnerability within the DeFi ecosystem, shaking investor confidence and highlighting the need for enhanced security measures. The hack on Curve Finance's CRV/ETH pool demonstrated the potential risks associated with outdated versions of programming languages like Vyper. The impact on the CRV price was immediate, but efforts to salvage the situation and repay loans provided some stability. The future of CRV remains uncertain, with the potential for a short squeeze and a short-term rally, but lingering risks persist. The incident serves as a crucial lesson for the DeFi community, emphasizing the importance of security and collaborative efforts to fortify the decentralized financial landscape.
Related DAOs
Signup for our monthly newsletter and get your own copy of the DAOstruct DAO Handbook 2023 right in your mailbox