Cracking the Curve: $100M+ Crypto in Jeopardy, CRV Token Takes a Hit

Crypto exploits, hacks, fraud — you name it — have not seemed to take a step back for the crypto community at large to take a much needed breather. Conic Finance was hit by two recent exploits a little over a week ago; Poly Network’s was repeatedly hacked, Atomic wallet’s raid that occurred just last month; and so on. The list goes on.

It leaves a very bad taste in my mouth as I say this but decentralised finance (DeFi) on Ethereum recently witnessed a concerning incident that has raised eyebrows in the crypto community. Curve, a prominent stablecoin exchange central to DeFi operations, found itself at the mercy of an exploit, as revealed in a tweet by the project.

The gravity of the situation becomes apparent when we consider that over $100 million worth of cryptocurrency is currently hanging in the balance. The exploit, stemming from a "re-entrancy" bug within the Vyper programming language that empowers various aspects of the Curve system, allowed hackers to drain several stablecoin pools on the platform. These pools serve a critical role, acting as the foundation for pricing and liquidity across numerous DeFi services.

Beyond Curve, this vulnerability potentially casts a shadow on other projects utilising the Vyper programming language. As the incident unfolded, the extent of the damage to Curve remained uncertain. However, BlockSec, a blockchain auditing firm, quickly weighed in with a preliminary analysis shared on Twitter. Their estimation pegged the total losses at an alarming figure of over $42 million.

Curve's website boasts a lineup of 232 distinct pools. However, it has come to light that only a specific subset of these pools, those operating on Vyper versions 0.2.15, 0.2.16, and 0.3.0, are currently under threat. This revelation emerged from a Discord announcement by mimaklas, a member of the Curve team.

Seeking to clarify the extent of the impact, mimaklas revealed that all the vulnerable pools had already fallen victim to the exploit or had been safeguarded through a process known as "white hacking." Despite the ongoing challenges, the Curve team remains resolute in their efforts, actively assessing the situation alongside the affected teams.

Among the First to Identify an Issue with its Pool on Curve
Decurity, a decentralised finance security firm, reported a disconcerting incident of cryptocurrency theft, with JPEG'd, an NFT lending protocol, falling prey to the attack. A staggering $11 million worth of cryptocurrency was siphoned from the platform, raising concerns about the security measures in place within the DeFi ecosystem.

JPEG'd, known for pioneering NFT-backed loans, had been quick to identify an issue within its Curve pool, which served as a crucial point of entry for the hackers. As users deposited their NFTs as collateral, the protocol's total value locked (TVL) reached approximately $32 million, making it an enticing target for malicious actors.

Fortunately, JPEG'd has reported that the core code responsible for safeguarding NFTs and treasury funds remained unscathed, offering some relief amidst the chaos. Nonetheless, the incident has cast a shadow on the platform, causing a significant impact on its governance token, JPEG. Unfortunately, JPEG's value has plummeted by 23%, reaching an all-time low of $0.000347 on Sunday.

The Innocent Hides Nothing While the Guilty Can Hide Nothing
Discovering critical vulnerabilities in the world of cryptocurrency can be a game of twists and turns. Curve encountered such a rollercoaster when it initially referred to the exploit as a seemingly ordinary "re-entrancy" attack in a now-deleted Tweet. In essence, a re-entrancy attack occurs when a smart contract engages with another contract, which, in turn, loops back to the original contract before completing its execution. The consequence? An opportunity for malevolent actors to cleverly jam multiple calls into a single function, leading a smart contract to miscalculate balances.

Yet, the plot thickened when Curve, in response to a Twitter account that later resurfaced the removed statement, admitted to having misjudged the situation. The vulnerability was evidently more than just a typical, avoidable attack.

One Step Too Slow?
Amidst the escalating reports of exploits spreading across the crypto community via Twitter, a white rescue operation emerged as a glimmer of hope. The timely announcement by Curve Finance sought to reassure the concerned community that the crvUSD contracts and their associated pools remained untouched by the attacks, providing a semblance of relief amidst the chaos.

Calling upon the affected parties to rally together and align their efforts with the white hat endeavours, the DeFi protocol displayed a united front in combating the threat. However, as the white hat operation endeavoured to secure the funds and thwart further attacks, fate took an unexpected turn. Another breach unfolded, this time targeting the crv/eth pool, putting the system under renewed stress and raising critical questions about its vulnerabilities.

CRV Took an Expected Dive
The relentless barrage of exploits has undoubtedly left a marked impact on the tokens of the affected projects. CRV, in particular, faced a steep decline, shedding over 19% of its value and plummeting to a four-week low of $0.61. As the situation evolves, the token's value currently hovers at $0.623324, with investors and market observers closely monitoring its fluctuations.

Source: CoinGecko

PeckShield, a prominent entity in the blockchain security landscape, has reported a fascinating occurrence: the Curve exploiter has voluntarily returned 2,879 ETH, a sum valued at approximately $5.4 million, to the protocol deployer address.

As we await the forthcoming post-mortems, the pieces of this puzzle may fall into place, shedding light on the motives and dynamics at play in this story.