Ethereum-based crypto exchange Curve targeted in major hack

31 Jul 2023

Image: © Dennis/

Blockchain auditing firm BlockSec estimates a bug in the Vyper programming language used by Curve and other projects has led to more than $40m in losses.

A popular stablecoin exchange on the Ethereum network has been the victim of a cyberattack that has reportedly put $100m worth of crypto at risk.

Curved Finance, a decentralised finance (DeFi) crypto exchange, has revealed that a bug in Python-like programming language Vyper, which is widely used in DeFi applications, has led to an exploit that has affected its pools.

In a tweet yesterday (30 July), Curve said that several stablecoin pools – used for pricing and liquidity on DeFi services – that use Vyper 0.2.15 on its platform have been exploited because of a “malfunctioning re-entrancy lock” or glitch.

“We are assessing the situation and will update the community as things develop. Other pools are safe,” Curve wrote.

According to blockchain auditing firm BlockSec, current total losses are estimated to be more than $40m worth of crypto. This includes the attack on Curve and a copycat attack on the BNB Smart Chain or BSC. BlockSec posted its estimations on Twitter (now known as X).

Other projects that use the Vyper programming language could also be at risk and the company has asked all those using the language to reach out to them.

Meir Dolev, co-founder and CTO of cybersecurity firm Cyvers, told Decrypt that attacks exploiting re-entrancy vulnerabilities are a common vector for hackers to steal from protocols. However, he added that it’s possible to avoid them with “proper design and development.”

The latest attack comes even as cryptocurrency-related crime appears to be down significantly compared to last year, according to a recent report by Chainalysis.

The blockchain analysis company’s report suggests that illicit activities related to crypto is down by 65pc compared to the same period last year, while deposits made to “risky” entities are down by 42pc.

This follows a particularly crime-riddled year for the sector, as a report in January suggested that the level of crypto-based illegal activity in 2022 was the highest on record, with $20.1bn in illegal transactions reported.

Meanwhile, OpenAI CEO Sam Altman last week launched Worldcoin, an ambitious crypto project to create a global identity and financial network that is “owned by everyone”.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic