Several pools on Curve Finance were hacked, allowing hackers to withdraw more than $47 million from various DeFi projects. Curve DAO (CRV) quotes started to drop. Michael Egorov staged a sell-off of the asset in an attempt to save the token, raising questions about the personal use of CRV.
DeFi platform Curve Finance suffered a hacker attack. On July 30, several pools using the Vyper programming language were compromised. According to a report from the team on X, Vyper versions 0.2.15, 0.2.16, and 0.3.0 were vulnerable.
Ancilia analysts reported that nearly five hundred smart contracts that utilize the vulnerable versions of Vyper were affected. The hackers managed to drain the pools due to reentrancy vulnerability. Four liquidity pools were affected by the attack:
- aETH/ETH;
- msETH/ETH;
- pETH/ETH;
- CRV/ETH.
Analysts from audit firm BlockSec believe that all Wrapped Ethereum (WETH) pools could be at risk if exploited again.
The attack resulted in over $47 million in crypto being stolen by the hackers. Several DeFi protocols involved in the compromised pools were hit at once. Thus, the Ellipsis team reported that a number of DEX pools with BNB were hacked, and exploiters withdrew about 283 WBNB. Besides, the Alchemix Finance protocol lost about $13.6 million due to the attack, the JPEG’d NFT project lost around $11.4 million, and the Metronome DeFi protocol lost approximately $1.6 million. Over $22 million in CRV was withdrawn from the Curve swap pool.
CRV quotes reacted to the event with a sharp drop. According to CoinGecko, the token fell by 15% within a few hours of the incident. Over the next few days, CRV quotes continued to go down. On August 1, the price reached $0.48, the lowest for the last seven months.
The news regarding the debt obligations of Michael Egorov, Founder of Curve Finance, significantly affected the token’s value. Delphi Digital analysts reported on X that Egorov used about 427.5 million CRV to obtain loans through various DeFi protocols worth $100 million. It’s worth noting that the pledged amount of CRV is about 47% of the total amount of Curve DAO tokens in circulation.
Thus, Egorov blocked 305 million CRV on Aave to receive $63.2 million in USDT, and 59 million CRV on Frax Finance to back a $15.8 million FRAX loan. As CRV quotes drop, so does the liquidity of the token, and both loans were at risk of liquidation after the attack on Curve Finance.
Realizing the risks posed to the ecosystem, Egorov paid out 4 million FRAX, which only managed to increase CRV’s liquidity temporarily as users instantly started withdrawing. Egorov decided to sell CRV “at a discount” to deal with the situation. According to Lookonchain data, he sold 39.25 million CRV at a price just above $0.4 per token, receiving $15.8 million. Overall, Egorov sold more than 50 million CRV at an undervalued price. Tron founder Justin Sun, entrepreneur Jeffrey Huang, and investment firm DWF Labs were among the investors willing to buy the token at a discount. Thanks to the “sale,” as reported by DeBank, Egorov reduced his Aave loan to $54.2 million.
However, the crypto community didn’t appreciate the Curve Finance founder’s “rescue operation,” expressing distrust in those investors who now own a large amount of CRV. The community even compared Egorov to Sam Bankman-Fried, who used FTT tokens as collateral. Some community members expressed concerns that Egorov’s actions will be “a black eye for the industry” and have negative repercussions for the entire market, as it’ll push investors away from DeFi.
Despite all the criticism, the DeFi community is committed to helping CRV after the attack. For example, an ethical hacker managed to get just over 2,879 ETH (~$5.4 million) back into the Curve Finance protocol. A white hat used a front-running bot against the hacker to accomplish this.
Hackers managed to steal over $313 million in crypto in Q2 of this year. In the first six months, hackers stole $656 million in cryptocurrencies, of which $215 million in assets were returned to users.