A Vyper compiler bug allows attackers to drain $70M from Curve pools, sending CRV plummeting 30% and triggering margin calls on Curve founder Michael Egorov's positions.
Attackers exploited a zero-day vulnerability in the Vyper programming language on Sunday, draining roughly $70 million from Curve Finance's liquidity pools in a single coordinated assault. The CRV token plunged 29% in hours, falling to $0.48 as liquidation fears gripped the market. Multiple stablecoins holding CRV as collateral faced cascading margin calls across DeFi protocols.
The vulnerability lay in Vyper versions 0.2.15, 0.2.16, and 0.3.0, which contained faulty reentrancy guards. The `@nonreentrant` decorator — meant to prevent recursive calls to the same function — used a single shared storage offset for all protected functions instead of individual keys. Attackers repeatedly called the same function within a single transaction, bypassing the guard's assumptions about transaction linearity. The CRV/ETH pool alone was hit twice for over $18.5 million.
Curve's core team responded within hours, pausing deposits across affected pools and triggering emergency circuit breakers. Some of the fund recovery involved whitehat hackers who grabbed assets before attackers could, meaning the actual user losses are probably closer to $50 million rather than $70 million. Still, the damage rippled instantly through DeFi. Fraxlend, Aave, and Abracadabra all held material CRV positions as collateral, and the sudden price move exposed founder Michael Egorov's overleveraged position to liquidation risk.
Egorov had borrowed over $100 million against roughly 460 million CRV tokens — approximately 47% of the circulating supply. At $0.48, his debt was catastrophically underwater. The liquidation would trigger additional CRV selling pressure, worsening the cascade. By August 3, Egorov was frantically raising capital through over-the-counter sales, moving 25 million tokens to Wintermute Trading for $10 million across two separate transactions in a race against forced liquidation.
Other CRV holders with collateralized loans faced similar pressure. Lending protocols began marking CRV as a higher-risk collateral, automatically trimming the amount borrowers could lend against it. These "haircuts" came in real-time as oracle prices updated. Across DeFi, roughly $100 million in liquidations cascaded through Frax, Abracadabra, and Aave within 48 hours.
The incident exposed a methodological failure in Vyper's compiler team. The vulnerability existed since version 0.2.15 in May 2023 — nearly three months before discovery. Any project relying on those versions faced retroactive exposure. Vyper issued an urgent advisory urging developers to recompile and redeploy. The message carried an implicit warning: you didn't know which of your contracts were compromised until you looked.
Curve's response prevented the contagion from metastasizing into a full protocol cascade. Other exchanges and lending platforms with Vyper dependencies rushed to audit their code and patch vulnerable contracts. By late 2023, the incident became a case study in why single points of failure in developer tooling — a compiler bug affects the entire ecosystem simultaneously — pose systemic risk that no amount of protocol-level safeguards can fully absorb.
---
**Word count: 445**
