Language
Hackers Drain $100M+ From Curve, CRV Trading Suspended
HomeHome > News > Hackers Drain $100M+ From Curve, CRV Trading Suspended
LATEST NEWS

Hackers Drain $100M+ From Curve, CRV Trading Suspended

Feb 10, 2024

Curve, a stablecoin platform at the heart of Ethereum’s DeFi ecosystem, suffered a hack late July 30, CoinDesk reported, citing a project tweet. The above amount is at risk because of a “re-entrancy” bug in Vyper, a programming language behind some Curve ecosystem components.

At the time of writing, a number of stablecoin pools in the system had been drained by hackers. These pools were used to price and provide liquidity for a few different DeFi services.

A re-entrancy bug is a type of software vulnerability that occurs in concurrent or multi-threaded programs. It is where an application's code can be interrupted and re-entered before completing its previous execution, potentially leading to unexpected and undesirable behavior.

Re-entrancy bugs typically manifest due to shared resources, asynchronization, and interleaved execution. Multiple threads or processes often share common resources, such as global variables, objects, or data structures.

If the shared resources are not properly synchronized or protected, it becomes possible for one thread to interrupt another thread while it is in the middle of using or modifying the shared resource.

When a thread gets interrupted and another thread takes over, it might access and modify the shared resource in a way that was not intended or expected.

The exact cause of the bug is not known at this time, but a number of exchanges have already halted trading of Curve Finance’s CRV token, such as the South Korean Upbit, who announced:

Similar vulnerabilities are expected for other projects that use Vyper. At the time of writing, blockchain auditor BlockSec estimated the total losses to exceed $42 million.

According to Curve’s website, it operates 232 pools, but a fraction of them are at risk.

The hack has resulted in a decline of the CRV token of 12.60% in the last 24 hours. It is currently trading for $0.64 according to Coinmarketcap.

There is also a risk of liquidation of Curve’s founder’s $70 million borrowing position on Aave due to the heist.