Curve Finance TVL (total value of assets locked) reportedly drops to over $1B after a massive withdrawal of funds by users. According to data from DefiLlama, the TVL fell nearly 50% to $1.731 billion from $3.26 billion within 24 hours.
The massive withdrawal can be attributed to the recent vulnerability attack on the DeFi protocol which occurred on July 30. Consequently, the exploit triggered fear of liquidation which caused members to immediately withdraw their assets from the decentralized exchange.
Curve Finance falls victim to cyber attack
As earlier reported, Curve Finance was a victim of a cyber attack that was caused by a vulnerability in reentrancy locks after a malfunction was discovered on multiple versions of Vyper, specifically versions 0.2.15, 0.2.16, and 0.3.0. For context, Vyper is a programming language for writing smart contracts on the Ethereum blockchain.
Vyper confirmed the update via an X (Twitter) post on July 30 stating that the aforementioned versions are vulnerable to malfunctioning reentrancy locks. It further added that projects running on those versions should reach out to them immediately.
Advertisement
PSA: Vyper versions 0.2.15, 0.2.16 and 0.3.0 are vulnerable to malfunctioning reentrancy locks. The investigation is ongoing but any project relying on these versions should immediately reach out to us.
— Vyper (@vyperlang) July 30, 2023
Related Reading: Curve Finance Recovers $5.4M Through White Hat Hacker
Curve Finance revealed via Twitter that a number of its stablepools using Vyper 0.2.15 have been exploited due to a malfunctioning reentrancy lock. In a reentrancy attack, an attacker can drain funds from a contract that is susceptible by repeatedly using the withdraw function before it refreshes its balance.
A reentrancy attack allows the perpetrator to call a function that interacts with another contract and then immediately call the same function again before the first function call completes.
Furthermore, BlockSec – a smart contract audit platform disclosed that the reentrancy attack is associated with the use of ‘use_eth’, therefore could potentially put all wrapped Ether (WETH)-related pools at risk.
At the time of writing, it is still unclear how much has been lost due to the attack, however, some estimate that it is currently around $70 million.
Effect of the attack on CRV price
Meanwhile, the attack has negatively impacted the price of the CRV token. According to live data from CoinMarketCap, CRV is currently trading at $0.6395. The price is down 12.66% in the last 24 hours. CRV is ranked #68 on the global crypto market chart with a live market cap of $568,452,354 ($568 million) plunging over 10% in the last 24 hours.