A reentrancy vulnerability in the Vyper compiler drained approximately $70 million from multiple Curve Finance pools on July 30, 2023.
A reentrancy vulnerability in the Vyper compiler exploited on July 30, 2023, drained approximately $70 million across multiple Curve Finance pools, exposing both technical fragility in DeFi infrastructure and systemic risks posed by concentrated positions in governance tokens.
The attack targeted stablecoin pools on Curve's platform that relied on vulnerable Vyper versions 0.2.15, 0.2.16, and 0.3.0. The reentrancy bug allowed attackers to execute repeated function calls within a single transaction before state variables updated, draining liquidity pools. Alchemix, JPEG'd, MetronomeDAO, and other protocols had deployed pools using the affected compiler versions. The exploit cascaded across pools throughout the day as attackers refined their attack vectors.
Curve's CRV token fell more than 20 percent in the immediate aftermath. Broader DeFi markets contracted as risk appetite deteriorated and investors withdrew capital. Curve remained the largest decentralized exchange by total value locked despite the exploit. The attack highlighted a structural vulnerability affecting not just Curve but any protocol using vulnerable Vyper versions.
Curve founder Michael Egorov held a $168 million position in CRV collateralized across Aave, Fraxlend, and other lending protocols. The token's decline pushed his loans toward liquidation thresholds. Aave faced potential cascading liquidations if Egorov's position unwound involuntarily. The concentration of governance tokens in founder hands created counterparty risk that extended beyond Curve itself into the broader DeFi lending market.
Egorov conducted over-the-counter sales of CRV tokens to reduce liquidation risk. He negotiated directly with large holders and DeFi participants, offering discounts on massive blocks of tokens. The OTC market absorbed hundreds of millions of dollars of supply that might otherwise have flooded public markets. The sales succeeded in raising collateral value and reducing liquidation pressure, but left the founder with diminished voting control over Curve's governance.
Whitehat hackers and ethical actors returned portions of stolen funds to affected pools. The recovery rate varied across exploited contracts, with some achieving near-total restoration and others sustaining permanent losses. Curve offered bounties for returned funds and engaged in negotiations with attackers to minimize damage. The incident underscored how DeFi's pseudonymous structure enabled both attack and recovery mechanisms unavailable in traditional finance.
Vyper developers released patched compiler versions addressing the reentrancy vulnerability. The speed of the fix demonstrated mature security response protocols within the Ethereum development community. Protocols began mandatory upgrades to safe Vyper versions. Curve deprecated affected pools and migrated liquidity to patched versions.
The incident revealed tensions between governance decentralization and systemic stability. Egorov's voting control over Curve governance created a moral hazard, as his personal liquidation risk could influence protocol decisions. The exploit demonstrated that concentrated founder positions in governance tokens posed tail risks to broader DeFi lending markets. Later governance discussions included proposals for founder token lockups and voting limits to prevent future concentration scenarios.
