Curve Finance pools were targeted by hackers in a reentrancy attack on July 30, resulting in the theft of over $61 million. The attack exposed vulnerabilities in DeFi projects and raised concerns about the broader contagion risks in the ecosystem. Several other protocols, including Ellipsis, Alchemix, JPEGd, and Metronome, were also affected by the attack. The exploit was due to a vulnerability in Vyper programming language versions 0.2.15, 0.2.16, and 0.3.0. The incident led to stress tests on DeFi protocols and a significant drop in the price of Curve DAO (CRV) tokens. Curve Finance founder Michael Egorov had to sell CRV tokens to reduce his debt position. The CRV token price was saved from collapsing by centralized exchange (CEX) price feeds. The DeFi community rallied around Curve Finance, with ethical hackers retrieving stolen funds and proposals for support from industry players. Curve, Metronome, and Alchemix offered a 10% bug bounty for the return of stolen funds, and the original attacker accepted the offer and returned a portion of the stolen funds. At the time of writing, $8.9 million worth of cryptocurrency has been returned, representing approximately 15% of the total amount stolen.
