On July 30th, Curve stablecoin pools alETH/msETH/pETH suffered an attack due to a recursive lock vulnerability in certain versions of Vyper (0.2.15, 0.2.16, and 0.3.0). Alchemix, JPEG'd, Metronome, deBridge, and Ellipsis have incurred a cumulative loss of approximately $70 million as a result of the attack:
Alchemix: 7259 ETH and 4821 alETH (approximately $22 million);
JPEG'd: 6106 ETH (approximately $11.4 million);
Metronome: 866.554 ETH (approximately $1.6 million) and 955 smETH (approximately $1.7 million);
CRV-ETH pool: 10,500 ETH (approximately $19.4 million) and 7.19 million CRV (approximately $4.4 million).
Affected by the attack, CRV price declines and founder's borrowed funds face liquidation risk
Impacted by the attack, on July 31st, the Total Value Locked (TVL) of Curve Finance decreased from $3.266 billion on July 30th to $1.869 billion, with a 24-hour decrease of 42.78%. The CRV price also decreased by 14.89% in the last 24 hours.
The downward trend of CRV price has put founder Michael Egorov's $70 million loan position on Aave at risk of liquidation. In response to this, Egorov sold CRV through OTC to obtain funds to repay the loan.
Since the start of OTC sales on August 1st, as of August 6th, Egorov has sold a total of 142.65 million CRV to 30 investors/institutions, obtaining $57.06 million in funds.
As of August 6th, Egorov still has 269.8 million CRV (equivalent to $166 million) pledged on four platforms, with a debt of approximately $48.7 million.
Attacker Returns Funds
On July 30th, the exploit user "coffeebabe.eth" returned 786 ETH ($1.45 million) and 955 smETH ($1.74 million) to Metronome, and returned 2879 ETH ($5.36 million) to Curve Finance.
On August 3rd, the Curve Foundation sent a message to the exploiters, stating that if the attacker returns the remaining 90% of the stolen funds before 8 AM (UTC) on August 6th, they will receive 10% of the stolen funds as a reward;
On August 4th, the attacker, 0x6ec, returned 5,495 WETH (worth $10 million) to JPEG'd and kept 610 ETH (worth $1.1 million) as a 10% reward. Attacker 0xdce returned 2,258 ETH (worth $4.15 million) and 4,820 alETH (worth $8.82 million) to AlchemixFi;
On August 5th, 0xdce returned 4,999 ETH (worth $9.18 million) to AlchemixFi, completing the full return;
As of August 6th, 32% of the stolen assets (approximately $18.7 million) have not been returned:
80 ETH (worth $1.47 million) from MetronomeDAO (held by coffeebabe.eth);
7,681 ETH (worth $14.4 million) and 7.19 million CRV (worth $4.43 million) from the CRV-ETH pool.
As of now, out of the $59.5 million stolen in the Curve Finance Vyper exploit, approximately $40.3 million has been returned, $560,000 is the hacker's bounty, and roughly $18.7 million remains unrecovered by the CRV/ETH exploiters (0xb752...b324).
On August 7th, Curve Finance tweeted that the deadline for the voluntary return of funds by the CRV/ETH exploit attacker has passed. They will provide a bounty for anyone providing information that leads to the hacker's arrest and conviction (currently $1.85 million).
In addition, Odaily specifically reminds that recently, there have been some accounts on X (Twitter) impersonating Curve official accounts. These scam accounts often have blue or yellow markings, so caution should be exercised.