DeFi Shaken by $61M Hack: How Curve-Vyper Exploit Changed the Game

• On July 30, hackers used a reentrancy attack to exploit Curve Finance pools and steal over $61 million worth of cryptocurrencies.
• Several DeFi projects were affected by the attack, including Ellipsis, Alchemix’s alETH-ETH, JPEGd’s pETH-ETH pool and Metronome’s sETH-ETH pool.
• The BSC was also targeted by copycat attacks due to the same vulnerability.

The Hack on Curve Finance Pools

On July 30, several stable pools on Curve Finance using the Vyper programming language were targeted in a reentrancy attack that sent shockwaves across the DeFi ecosystem. This exploit resulted in losses totaling over $61 million (initially estimated at $47 million).

Projects Affected by the Attack

A number of DeFi projects were affected by this attack. Ellipsis reported that a small number of stable pools with BNB were exploited using an old Vyper compiler. Additionally, Alchemix’s alETH-ETH witnessed $13.6 million of outflows due to the hack, as well as $11.4 million stolen from JPEGd’s pETH- ETH pool and $1.6 million from Metronome’s sETH- ETH pool. Curve Finance CEO Michael Egorov also confirmed that 32 million Curve DAO (CRV) tokens worth over $22 million had been stolen from its swap pool.

BSC Targeted By Copycat Attacks

The Binance Smart Chain (BSC) was also targeted by copycat attacks due to the same vulnerability, resulting in approximately $73,000 being stolen from three exploits on the network. After news of this exploit broke out, white hat and black hat hackers have been engaging in an ongoing battle on-chain in order to disrupt each other’s attempts at either exploiting or recovering funds lost during this incident.

Vulnerability Found On Vyper Compiler

Initial investigations found that some versions of the Vyper compiler did not correctly implement a reentrancy guard which prevents multiple functions from being executed simultaneously by locking a contract..


This security incident exposed vulnerabilities across many DeFi protocols and sparked efforts to recover stolen funds over the past few days within the community contributing to these platforms .