Curve Finance Hack 2023 — $61M Exploit Analysis

A reentrancy vulnerability in Vyper compiler versions 0.2.15-0.3.0 allowed attackers to drain multiple Curve liquidity pools.

Details

Full Description

Multiple Curve Finance pools built with Vyper versions 0.2.15 through 0.3.0 were found to have a malfunctioning reentrancy lock due to a compiler bug. Attackers exploited this in alETH/ETH, msETH/ETH, and pETH/ETH pools. The Curve team and white-hat hackers worked to front-run remaining vulnerable pools, recovering a significant portion.

Laundering Analysis

Proceeds split — some attackers cooperated with Curve team and returned funds for a 10% bounty. Remaining stolen ETH moved through Tornado Cash. The Curve DAO treasury was used to partially compensate affected LPs. c0ffeebabe.eth (white-hat) front-ran and returned a substantial amount.

Sources

Transaction Hashes

Related Hacks

Back to Browse