- Exploit on Curve Finance led to a significant fallout across various DeFi protocols, with losses estimated to be over $50 million.
- Llama and Chaos Labs proposed changes to the Ethereum Aave v2 Liquidity Pool, suggesting disabling borrowing while maintaining the ability to deposit assets.
- The exploit triggered panic across the DeFi ecosystem, leading to a decline in Curve DAO (CRV) value and a $2.3 billion drop in the total value locked (TVL) across the DeFi ecosystem.
Llama and Chaos Labs have proposed a series of changes to the Ethereum Aave v2 Liquidity Pool. The proposal, an alternative to AIP-121, a proposal aimed at enhancing transparency and accountability, suggests disabling borrowing while maintaining the ability to deposit assets across the majority of reserves. This initiative aims to mitigate the risk profile across many higher volatile assets following the contraction of liquidity across markets.
This proposal was triggered by a significant exploit on the Curve Finance stablecoin lending platform, which led to substantial fallout across various protocols. The attack, executed on July 30, resulted in losses estimated to be over $50 million. It was carried out across several stable pools running older versions of the Vyper smart contract programming language.
Curve Finance, a DeFi protocol that facilitates the decentralized exchange of stablecoins within Ethereum, alerted its users to the exploit. It was revealed that a number of stable pools using Vyper 0.2.15 had been compromised due to a malfunctioning reentrancy lock. However, Curve Finance assured its users that its crvUSD stablecoin pools remained unaffected.
The exploit had a significant impact on several decentralized finance projects. Ellipsis, a decentralized exchange, reported that a small number of stable pools with BNB were exploited using an old Vyper compiler. Alchemix’s alETH-ETH pool witnessed a $13.6 million outflow, while JPEGd’s pETH-ETH pool and Metronome’s sETH-ETH pool saw exploits of $11.4 million and $1.6 million, respectively.
In response to the exploit, Curve Finance issued a statement on Twitter, acknowledging the exploit and assuring users that they were assessing the situation. Vyper, the programming language at the heart of the exploit, also issued a warning about the vulnerability of certain versions of its software. Blocksec, a company specializing in crypto software security, also confirmed the vulnerability, highlighting the potential for the failure of the reentrancy guard.
The exploit set off a wave of anxiety throughout the DeFi ecosystem, inciting a surge in transactions across pools and prompting a recovery effort from ethical hackers. Consequently, Curve Finance’s utility token, Curve DAO (CRV), experienced a drop of more than 11% in the last 24 hours, as per data from CoinMarketCap. Moreover, the incident led to a $2.3 billion decrease in the total value locked (TVL) across the entire DeFi ecosystem, reducing the locked ecosystem value to $41.5 billion.