Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
Curve Finance tweeted that many stablecoin pools (alETH/msETH/pETH) using Vyper 0.2.15 were attacked due to a faulty recursive lock. crvUSD contracts and other fund pools are not affected. As of now, the Curve Finance stablecoin pool hack has caused a cumulative loss of $73.5 million to Alchemix, JPEG'd, MetronomeDAO, deBridge, Ellipsis, and CRV/ETH pools. On August 6, Alchemix tweeted that the Curve Finance hacker had returned all of Alchemix's funds in the Curve pool. On August 19, MetronomeDAO stated that a MEV bot named "c0ffeebabe" had recovered most of the stolen funds and returned them to Metronome. Attack method (per SlowMist): Affected by Vyper Vulnerability. Reported loss: $ 25,123,594.
- chain
- —
- protocol
- Curve Finance
- bug_class
- mev
- date_occurred
- 2023-07-30
- loss_usd
- $25,123,594
- source_id
- sm:curve-finance::2023-07-30