Curve Finance pools were targeted by hackers in a reentrancy attack on July 30, resulting in the theft of over $61 million. The attack exposed vulnerabilities in DeFi projects and raised concerns about the broader contagion risks in the ecosystem. The exploit affected several projects, including Ellipsis, Alchemix, JPEGd, and Metronome. The vulnerability was found in Vyper programming language versions 0.2.15, 0.2.16, and 0.3.0. The incident also led to one of the largest ever maximal extractable value (MEV) reward blocks. Curve Finance founder Michael Egorov had around $100 million in loans backed by CRV tokens, which led to fears of liquidation. To reduce his debt position, Egorov sold CRV tokens at a discount to notable DeFi investors. The CRV token price collapsed but was saved by centralized exchange (CEX) price feed. The DeFi community rallied around Curve Finance, with ethical hackers retrieving stolen funds and proposals for support from industry players. Curve, Metronome, and Alchemix offered a 10% bug bounty to recover stolen funds, which the original attacker accepted and returned a portion of the stolen funds. At the time of writing, $8.9 million worth of cryptocurrency has been returned.
