Curve - The Second Largest DeFi Platform - Hacked for $69 Million
DeFi is a nascent sector inside of the Crypto industry. It became extremely popular in the 2020 cycle for crypto as thousands of DeFi platforms proliferated and the days of yield hunting began.
The DeFi sector has matured quite a lot since these early days, but that doesn't mean its still not a baby sector. Since its so new, hacks and rug pulls are very common. It also deals directly with capital and because of that, it attracts tons of bad actors looking to exploit protocols to steal user funds.
Curve has long been one of the top DeFi platforms. It's one of the oldest in the sector and thought to be one of the most secure.
Yesterday at around 9:30AM EST, a pETH-ETH liquidity pool was hacked for over $11M. Four other attacks followed and then a statement was made - at 4:30 PM - in the curve Discord. The Curve team said that "all affected pools have been drained or white hacked. All remaining pools are safe and unaffected by the bug."
Despite that statement, a few more attacks followed. Some being bad actors and some being white hacks.
In the featured image of this post, X user tayvano_ ran an analysis on-chain of the hacks and posted the funds taken and who the hackers are.
As you can see, some are malicious and some are white hacks.
The white hackers have returned $16.9M so far which accounts for 24% of the total $69M hacked. That means ~$52M is still "at large" or waiting to be seen if some more will get returned.
$50M in damage is quite bad but Curve is a relatively large protocol. This is contained damage. The main worry is if there will be ripple effects in other sectors of DeFi and if people will become afraid to pool on Curve in the future.
How Curve handles what comes next will be important.
How Curve Was Hacked
The attack seems to be a 0-day bug which is a type of reentrancy vulnerability. This type of vulnerability is very common in DeFi liquidity pools.
Vyper is a programming language that is used - and their team is actually supported - by Curve.
The vulnerability was found in certain versions of the compiler.
A few tweets were sent by Curve and Vyper team as well as JPEG'd who were all trying to point fingers and pick someone to blame.
The Future of DeFi
DeFi is obviously a sector of Crypto that I keep a close eye on. I believe it will end up being one of the main (if not already) sectors of the entire crypto industry. Liquidity is extremely valuable to an emerging industry like crypto.
The liquidity on DeFi protocols will enable a lot of positive things for crypto in the long-run but it also enables a lot of malicious actors who see the billions of dollars lying around for the taking.
As the sector continues to mature, I expect more vulnerabilities. Security is paramount and I think all of the hacks and rug pulls see point a light at the need for more auditing and checks & balances in the industry at large.
I have experience building DeFi products. I also have worked with auditing firms within Crypto.
Auditing firms in crypto are pretty bad to be completely honest. They're hard to work with and tend to rush their work. They are as much out to just make money and move on as anyone else.
I have had multiple firms audit various contracts and one firm finds a vulnerability that the others did not and vice versa.
It tells me that these firms don't really care about their work. They care about their paycheck and then move on completely.
That's not the case with every firm and I have found some firms and individual devs who take pride in their work and value security. Understanding that they play a key role in securing a network and helping the people who choose to use it.
It's a vital job for the space and I would love to see more successful auditing companies. I also think TradFi offers us a lot in this regard and hope to see TradFi auditing firms step into the space and bring some professionalism to DeFi.
As a user of Curve, I wasn't impacted by this hack but I do hope to see Curve land on its feet. They are a staple in the DeFi sector and seeing them lose liquidity would cause detrimental ripple effects to other sections of DeFi.
To me, this is another reminder that you should understand the risks of any protocol - no matter how old, big or small - and never put all your eggs in one basket. Having a diversified basket of liquidity pools, crypto assets, crypto wallets and blockchains is a vital strategy to survive in this space.
About LeoFinance
LeoFinance is a blockchain-based Web3 community that builds innovative applications on the Hive, BSC, ETH and Polygon blockchains. Our flagship application: LeoFinance.io allows users and creators to engage & share micro and long-form content on the blockchain while earning cryptocurrency rewards.
Our mission is to democratize financial knowledge and access with Web3.
Twitter: https://twitter.com/FinanceLeo
Discord: https://discord.gg/E4jePHe
Whitepaper: https://whitepaper.leofinance.io
Our Hive Applications
Join Web3: https://leofinance.io/
Microblog on Hive: https://leofinance.io/threads
Build a Microblogging Community on Hive: https://leofinance.io/communities
Delegate HIVE POWER: Earn 16% APY, Paid Daily. Currently @ 3.8M HP
Hivestats: https://hivestats.io
LeoDex: https://leodex.io
LeoFi: https://leofi.io
BSC HBD (bHBD): https://wleo.io/hbd-bsc/
BSC HIVE (bHIVE): https://wleo.io/hive-bsc/
Earn 25%+ APY on HIVE/HBD: https://cubdefi.com/farms
Web3 & DeFi
Web3 is about more than social media. It encompasses a personal revolution in financial awareness and data ownership. We've merged the two with our Social Apps and our DeFi Apps:
CubFinance (BSC): https://cubdefi.com
PolyCUB (Polygon): https://polycub.com
Multi-Token Bridge (Bridge HIVE, HBD, LEO): https://wleo.io
Posted Using LeoFinance Alpha
One strong belief I do have is that, crypto cannot be sent back to the dust and the reason is that, it keeps going and getting advancement most of the time.
it ain’t going anywhere!
That's nice, enjoy your day
DeFi is never going to take off with these constant hacks and no way to recover it.
This definitely hurts DeFi, but Curve can redeem itself by how it handles the investor losses.
every major crypto / chain / sub industry has had hacks
That being said, yeah this is bad. The industry needs some level of oversight
No Leoglossary links?
LOL! almost LMAO at this. This community is so cool.
wen automated way to add
Only you and the developers know.
touché
Good points Khal, even an OG protocol like Curve can get hacked. A sobering reminder of how early we are in terms of development of DeFi. DeFi is like New York; the best of things and the worst of things, with plenty in between.
exactly, we are so very early and I think many more protocols may face trouble in the future. It’s important to know how early you are
This hack reminds me of Willie Suttons Law. Willie Sutton, a famous bank robber in the 1930's was asked why he robbed banks. His reply " Because that's where the money is.." Curve is really just a big crypto bank, and all such fortunes attract robbers. Which today we call hackers.
It proves a statement Khal made when he launched Cubfinance, anyone can be hacked, it just takes dedication and exploiting a weakness.
This also reminds me of wleo-eth, and as Khal says, the impact on Curve will mainly depend on how they handle it. This will be what investors remember when they decide whether to keep their money there or not, and whether they invest with Curve in the future.
The way Khal handled the wleo-eth hack won the hearts and minds of many of the Leo faithful, and we have followed him into uncharted territories ever since. It's not that he guarantees us against losses, but he takes responsibilities for those things which are his responsibility, and doesn't play the blame game.
Respect.
kinda a big uncertaintiy with all the hacks ongoing; not good for defi reputation
"Web3 is about more than social media. It encompasses a personal revolution in financial awareness and data ownership."
It must be graffiti.
Its bad to be honest. On top of the technical issue that doesn't seem as big ... somewhere around 50M, that is small for a protocol with over 5B in liquidity but the biggest issue is reputation, lost of trust etc ... I for example will be very nervous to pool on curve now, ergo more liquidity will go away ... and on top of all of this we have our friend Justin Sun now entering the game, buying CRV at discount from the founder, who turns out to made a complete degen move taking out a 100M loan on AAVE with CRV as colateral .... I mean, cool play the borrow game, but 100M? Its to much.... basically to big of a leverage in a extremely risky environment.
Yeah it is bad. It's small in terms of what was lost but the trust itself is the big piece of DeFi.
I actually didn't know that about JSUN. I knew that the Curve founder had the 2 big loans on Aave and another lender... He recently paid down some of the debt to make it more secure but it is crazy that he is using so much founder stake to borrow debt
The JSUN info just came out ...