<img src="https://secure.glue1lazy.com/215876.png" style="display:none;">

Hack Track: Curve Finance Flow of Funds Analysis

On the 30th of July, Curve Finance, a decentralized, Automated Market Maker (AMM), was hacked leading to a loss of ~ $45 million in CurveDAO, ETH, and wETH. The attackers exploited a malfunctioning reentrancy lock on different versions of the Vyper programming language (0.2.15, 0.2.16, and 0.3.0) across multiple stable-pools.

Vyper is a contract-oriented, python-based programming language that is used for writing Ethereum Virtual Machine (EVM) contracts. 

What is Curve Finance?

Curve Finance is a non-custodial AMM that lets users and other decentralized protocols exchange tokens through its low fees and slippage. For this, Curve uses formulated liquidity pools. 

Response of the Industry and Curve Finance

Upon discovering the vulnerabilities, the Vyper team immediately utilized its Twitter platform to notify its users about the situation. 

In response to this, Curve Finance informed its users that ‘A number of stable-pools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited..’

On that same day, an ethical hacker took immediate action and retrieved a portion of the stolen assets, promptly returning them to Curve Finance.

A maximal extractable value bot operator named "c0ffeebabe.eth," utilized a front-running bot against the malicious hackers, successfully safeguarding nearly 2800 ETH (worth $5.4 million). Subsequently, these funds were restored to the Curve deployer address, their rightful custodian.

After the occurrence of these malicious attacks, Michael Egorov, the Chief Executive Officer of Curve Finance, verified that a substantial amount of over 32 million CRV tokens, valued at more than $22 million, were illicitly extracted from the swap pool. This confirmation sparked a wave of anxiety throughout the DeFi ecosystem, triggering a flurry of transactions across various pools and necessitating a response from ethical hackers to safeguard the affected assets.

Amidst the ensuing chaos, certain Twitter accounts, posing as Curve Finance and the victims of the hack, are now promoting a fraudulent refund scheme. Their target is those who have already suffered losses from the recent hack.

Merkle Science’s Flow of Funds Analysis

According to Merkle Science’s analysis, Curve Finance incurred a loss of approximately $45 million in CurveDAO, ETH, and wETH tokens, due to the exploitation of a vulnerability in different versions of Vyper, a language used for writing smart contracts of certain Curve pools.

Some platforms majorly affected along with their respective losses are listed below:

CRV/ETH - $19.7 Million

JPEG’d - $11.5 Million

Alchemix - $13.6 Million

MetronomeDAO - $ 130k

The vulnerability allowed the attacker to execute a reentrancy attack, where the “withdraw_with_fee” function was called multiple times in a row.

Using this technique, the attacker successfully siphoned funds from various liquidity pools. The affected pools encompassed the alETH, msETH, pETH pool, the 3CRV pool, and the USDT/USDC pool.

A similar exploit was replicated on the Binance Smart Chain by copycat attackers, leading to a collective loss amounting to approximately $73,000. The unfortunate incident mirrored the original exploit and had similar repercussions on the affected platform.

At the time of writing, there have been no notable fund transfers observed from the exploiter addresses. Merkle Science’s investigations team is continuously monitoring any potential movement of funds. We will provide further updates as the situation develops.

Merkle Science’s blockchain forensics tool ‘Tracker’ visualizes the flow of funds


The increasing number of DeFi attacks highlights the need for platforms to invest in security measures, audit their smart contracts, and create contingency plans for possible exploits. Continuous efforts to strengthen protocols and improve security measures are necessary to prevent further losses. The DeFi market must remain vigilant in fortifying its security measures, as the threat of attacks continues to grow. One solution to mitigate DeFi hacks is to use specialized code that projects integrate into their own. 

Platforms can also use pre-audited code to create their own token smart contracts, providing users with a secure way to start their own token. The U.S. Department of the Treasury has also emphasized the importance of combating illicit finance to strengthen national security. Overall, it is crucial for DeFi platforms to prioritize security measures to prevent further attacks and protect user funds.