A reentrancy vulnerability in Vyper compiler versions 0.2.15-0.3.0 allowed attackers to drain multiple Curve liquidity pools.
Multiple Curve Finance pools built with Vyper versions 0.2.15 through 0.3.0 were found to have a malfunctioning reentrancy lock due to a compiler bug. Attackers exploited this in alETH/ETH, msETH/ETH, and pETH/ETH pools. The Curve team and white-hat hackers worked to front-run remaining vulnerable pools, recovering a significant portion.
Proceeds split — some attackers cooperated with Curve team and returned funds for a 10% bounty. Remaining stolen ETH moved through Tornado Cash. The Curve DAO treasury was used to partially compensate affected LPs. c0ffeebabe.eth (white-hat) front-ran and returned a substantial amount.
0xc8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d