On July 30, four pools on Curve were affected by an exploit related to a vulnerability in the Vyper programming language, the second most popular Ethereum Virtual Machine (EVM) language behind Solidity. Vyper was used to code some of the older pools on Curve that use native ETH. The pools affected by the attack include (1) alETH/ETH, (2) CRV/ETH, (3) msETH/ETH and (4) pETH/ETH. According to DeFiLlama, the total value locked (TVL) on Curve has declined by 47% from $3.26B prior to the exploit to $1.73B as of July 31. Initial loss estimates due to the attack range from $24M to $52M.
How this happened is still under investigation, but what we know is that it involved a malfunctioning reentrancy lock (in specific Vyper versions). That is, an attacker was able to take advantage of the fact that some versions of the Vyper compiler did not correctly execute the lock, and thus the attacker repeatedly called the smart contract before initial execution was completed, draining it of funds. (Note that the bugs have now been patched.)
How this affects the decentralized finance (DeFi) complex is not clear at this point, as Curve pools play a major part in Ethereum’s DeFi stack as a source of liquidity. One reason for that is that Curve is the leader in multi-asset stablecoin pools, despite progress from competitors like Uniswap. Although there was no direct stablecoin pool exposure to the exploit, there may have been some indirect exposure as some stablecoins in Curve’s pools are backed by ETH. As a knee jerk reaction, many liquidity providers have withdrawn from Curve with the TVL in Curve’s popular 3pool (DAI/USDC/USDT) declining from $286M before the exploit to $225M afterwards.
The price of ETH/USD however is moving more or less in line with the rest of its crypto peers, which in our view, seems to suggest that the consensus believes there is limited systemic risk associated with this exploit. Based on our current understanding, we generally agree with this sentiment, as we see two potential sources of systemic risk that each has mitigating factors.
First, there’s the issue of the $70M loan position (collateralized with CRV) taken by Curve Finance founder Michael Egorov on DeFi lender AAVE. The price of CRV has slipped following the exploit but at $0.61 (July 31), it’s still above the liquidation price of $0.38. Moreover, the size of the potential CRV liquidation is around $115M which represents less than 2.2% of AAVE’s debt collateral.
Second, if LPs continue withdrawing from Curve pools, there is a concern that the liquidity constraints could impinge the DeFi complex from functioning properly. Liquidity has been a challenge recently for both traditional finance as well as crypto. But so far, it seems like the effects of the exploit have been limited to the four pools listed above. Moreover, the last time we saw LPs withdraw from Curve following the FTX collapse (draining TVL by 38%), we did see the bulk of those funds eventually return within two months. In the case of this exploit, Curve advised some LPs to exit certain pools as a precaution, so when things have settled, we think there’s a good chance that those LPs could return.
