Taking place on July 30, the Curve Finance hack saw attackers targeting the liquidity pools of Curve (CRV), JPEG’d (JPEG), Alchemix (ALCX), and Metronome (MET). The cumulative losses resulting from the hack amounted to $61.7 million; however, the hackers returned approximately $10 million. Overwhelmingly, 94% of CRV token holders voted in favor of compensating the affected users for their losses.
Just wanted to emphasize the scale of this. Victims are made whole with this vote with:
– $7.2M worth of ETH recovered by whitehats to the DAO being distributed
– $42M worth of CRV compensating unrecovered parts (vested)
– Other whitehat-recovered funds distributed before vote https://t.co/qmcK9pmTe5— Curve Finance (@CurveFinance) December 22, 2023
The hackers exploited a vulnerability in specific versions (0.2.15, 0.2.16, and 0.3.0) of the Vyper programming language, commonly used to interact with the Ethereum Virtual Machine (EVM). This vulnerability allowed them to execute duplicate transaction attacks.
In late November, the Velodrome Finance trading protocol within the Optimism ecosystem also fell victim to a hack. As a result, the project had to be suspended until the vulnerability was rectified.