$47 Million Exploitation of Curve Finance Pool Due to Reentrancy Vulnerability

Decentralized finance (DeFi) has seen widespread adoption and popularity in recent times, however, security remains a paramount concern. There have been several instances of attacks on the vulnerabilities that persist in the DeFi ecosystem.

One such instance involves the most recent news on Curve Finance, a prominent decentralized exchange (DEX) protocol built on the Ethereum network. The news reported that several stable pools on Curve Finance were hacked for over $47 million. The attack targeted the reentrancy vulnerability in the Vyper compiler, which is used to write smart contracts on the Ethereum blockchain. 

The incident has sent shock waves across the DeFi ecosystem questioning the security measures implemented to prevent such a mishap.

What is Reentrancy Attack?

Reentrancy attacks are used to drain the funds from a smart contract, where an attacking smart contract takes advantage of the vulnerable smart contract. This is possible because of the sequence in which a smart contract handles a transaction. The smart contract usually follows these three steps: checking the balance, sending the funds, and finally updating the balance. The time between sending the funds and updating the balance offers a window for the attacking smart contract to call the withdraw function several times till the balance has been updated. The process continues till all the funds are drained.

Curve Finance Hack of $47 Million

In the case of the Curve Finance hack, the attacker exploited a reentrancy vulnerability in the withdraw function of the alETH-ETH pool. This function enabled the attacker to drain funds from the pool even when the pool balance was not sufficient.

The attacker first withdrew a small amount from the pool. This in turn triggered the withdraw function, allowing the attacker to call the function multiple times. The total amount of funds drained through this attack is over $47 million also affecting other stable pools in the msETH-ETH and pETH-ETH pools.

According to the recent update from Vyper, 0.2.15, 0.2.16, and 0.3.0 versions are at risk of a reentrancy attack. They stated that the investigation is ongoing and the projects using these versions should immediately inform them.

Implication on the DeFi Community

The attack has raised concerns regarding the security of smart chain contracts on Ethereum. Several DeFi projects were targeted during this attack. CoinMarketCap metrics showed a sharp decline of around 5% in the price of Curve Finance’s utility token Curve DAO (CRV) after the news of the hack.

The incident emphasizes the importance of conducting security audits for all smart contracts and DeFi protocols. The developers can lay more priority on security measures through code reviews and third-party audits to strengthen the security of their projects and provide a seamless experience to their users.


The Curve Finance incident reminds the DeFi community of the risks involved despite its enormous potential to provide innovative financial solutions. DeFi projects should place huge importance on security as a part of their development process and accept measures to avoid the occurrence of such attacks. Even the users should understand that DeFi projects are not immune to risks and should adopt a cautious and informed approach before setting foot into any such projects.

Disclaimer: This article was created for informational purposes only and should not be taken as investment advice. An asset’s past performance does not predict its future returns. Before making an investment, please conduct your own research, as digital assets like cryptocurrencies are highly risky and volatile financial instruments.

Author: Puskar Pande

Leave a Reply