Series of Exploits Hit Curve Finance’s Liquidity Pools

Key Points:

  • Curve Finance faces multiple exploits on its liquidity pools, resulting in significant losses for projects like Conic Finance, JPEG’d, Metronome, and Alchemix.
  • Speculated reasons include vulnerabilities in programming language versions and manipulation of the “get_virtual_price” function, highlighting the need for enhanced security measures in the DeFi space.
Curve Finance, a prominent decentralized finance (DeFi) protocol, has been facing a wave of attacks on its liquidity pools, resulting in substantial losses for multiple projects. 
Series of Exploits Hit Curve Finance's Liquidity Pools

The recent incidents, involving Conic Finance, JPEG’d, Metronome, and Alchemix, have raised concerns within the DeFi community. The string of attacks began with Conic Finance on July 21, where assets were drained due to a connection with LP Tokens on Curve Finance. Subsequently, on July 30, the Lending NFT JPEG’d project reported an exploit involving the pETH-ETH liquidity pool on Curve Finance, resulting in an $11 million loss. 

The same day, Metronome also suffered a $1.6 million loss following a similar exploit. Additionally, Alchemix’s alETH became a victim, experiencing an estimated $13.6 million loss linked to a liquidity pool on Curve.

Series of Exploits Hit Curve Finance's Liquidity Pools

The exact reasons behind these exploits have not been fully disclosed at this time. However, the community has speculated two primary factors. First, vulnerabilities in versions 0.2.15/0.2.16/0.3.0 of the VyperLang programming language are suspected. These versions lack the Re-Entrancy anti-attack filter, enabling hackers to execute rounding attacks and withdraw funds from liquidity pools.

The second conjecture, outlined in a ChainSecurity document, centers on Curve Finance‘s “get_virtual_price” function. This function, determining the market price of LP Tokens, can potentially be manipulated by Re-Entrancy hackers to create a withdrawal loop and manipulate the oracle price index.

Notably, the ChainSecurity document clarifies that this vulnerability does not impact Curve pools internally. Instead, it may affect platforms utilizing Curve’s LP Tokens as collateral, enabling false loan withdrawals.

Curve Finance and affected projects are likely to collaborate closely with the community to analyze and address the root causes of these attacks. It is essential for the DeFi ecosystem to implement robust security measures and foster transparency to instill confidence in users and maintain the sustainable growth of the DeFi sector.

DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.

Join us to keep track of news:


Coincu News

970x90.gif (970×90)