Curve - The Second Largest DeFi Platform - Hacked for $69 Million

DeFi is a nascent sector inside of the Crypto industry. It became extremely popular in the 2020 cycle for crypto as thousands of DeFi platforms proliferated and the days of yield hunting began.

The DeFi sector has matured quite a lot since these early days, but that doesn't mean its still not a baby sector. Since its so new, hacks and rug pulls are very common. It also deals directly with capital and because of that, it attracts tons of bad actors looking to exploit protocols to steal user funds.

Curve has long been one of the top DeFi platforms. It's one of the oldest in the sector and thought to be one of the most secure.

Yesterday at around 9:30AM EST, a pETH-ETH liquidity pool was hacked for over $11M. Four other attacks followed and then a statement was made - at 4:30 PM - in the curve Discord. The Curve team said that "all affected pools have been drained or white hacked. All remaining pools are safe and unaffected by the bug."

Despite that statement, a few more attacks followed. Some being bad actors and some being white hacks.

In the featured image of this post, X user tayvano_ ran an analysis on-chain of the hacks and posted the funds taken and who the hackers are.

As you can see, some are malicious and some are white hacks.

The white hackers have returned $16.9M so far which accounts for 24% of the total $69M hacked. That means ~$52M is still "at large" or waiting to be seen if some more will get returned.

$50M in damage is quite bad but Curve is a relatively large protocol. This is contained damage. The main worry is if there will be ripple effects in other sectors of DeFi and if people will become afraid to pool on Curve in the future.

How Curve handles what comes next will be important.

How Curve Was Hacked

The attack seems to be a 0-day bug which is a type of reentrancy vulnerability. This type of vulnerability is very common in DeFi liquidity pools.

Vyper is a programming language that is used - and their team is actually supported - by Curve.

The vulnerability was found in certain versions of the compiler.

A few tweets were sent by Curve and Vyper team as well as JPEG'd who were all trying to point fingers and pick someone to blame.

The Future of DeFi

DeFi is obviously a sector of Crypto that I keep a close eye on. I believe it will end up being one of the main (if not already) sectors of the entire crypto industry. Liquidity is extremely valuable to an emerging industry like crypto.

The liquidity on DeFi protocols will enable a lot of positive things for crypto in the long-run but it also enables a lot of malicious actors who see the billions of dollars lying around for the taking.

As the sector continues to mature, I expect more vulnerabilities. Security is paramount and I think all of the hacks and rug pulls see point a light at the need for more auditing and checks & balances in the industry at large.

I have experience building DeFi products. I also have worked with auditing firms within Crypto.

Auditing firms in crypto are pretty bad to be completely honest. They're hard to work with and tend to rush their work. They are as much out to just make money and move on as anyone else.

I have had multiple firms audit various contracts and one firm finds a vulnerability that the others did not and vice versa.

It tells me that these firms don't really care about their work. They care about their paycheck and then move on completely.

That's not the case with every firm and I have found some firms and individual devs who take pride in their work and value security. Understanding that they play a key role in securing a network and helping the people who choose to use it.

It's a vital job for the space and I would love to see more successful auditing companies. I also think TradFi offers us a lot in this regard and hope to see TradFi auditing firms step into the space and bring some professionalism to DeFi.

As a user of Curve, I wasn't impacted by this hack but I do hope to see Curve land on its feet. They are a staple in the DeFi sector and seeing them lose liquidity would cause detrimental ripple effects to other sections of DeFi.

To me, this is another reminder that you should understand the risks of any protocol - no matter how old, big or small - and never put all your eggs in one basket. Having a diversified basket of liquidity pools, crypto assets, crypto wallets and blockchains is a vital strategy to survive in this space.

About LeoFinance

LeoFinance is a blockchain-based Web3 community that builds innovative applications on the Hive, BSC, ETH and Polygon blockchains. Our flagship application: LeoFinance.io allows users and creators to engage & share micro and long-form content on the blockchain while earning cryptocurrency rewards.

Our mission is to democratize financial knowledge and access with Web3.

Twitter: https://twitter.com/FinanceLeo
Discord: https://discord.gg/E4jePHe
Whitepaper: https://whitepaper.leofinance.io

Our Hive Applications

Join Web3: https://leofinance.io/
Microblog on Hive: https://leofinance.io/threads
Build a Microblogging Community on Hive: https://leofinance.io/communities
Delegate HIVE POWER: Earn 16% APY, Paid Daily. Currently @ 3.8M HP
Hivestats: https://hivestats.io
LeoDex: https://leodex.io
LeoFi: https://leofi.io
BSC HBD (bHBD): https://wleo.io/hbd-bsc/
BSC HIVE (bHIVE): https://wleo.io/hive-bsc/
Earn 25%+ APY on HIVE/HBD: https://cubdefi.com/farms

Web3 & DeFi

Web3 is about more than social media. It encompasses a personal revolution in financial awareness and data ownership. We've merged the two with our Social Apps and our DeFi Apps:

CubFinance (BSC): https://cubdefi.com
PolyCUB (Polygon): https://polycub.com
Multi-Token Bridge (Bridge HIVE, HBD, LEO): https://wleo.io

Posted Using LeoFinance Alpha