Curve DEX
HackedDeFi · $CRV · born 2020 · ✝ 2023
A compiler bug, not the contracts, opened the door.
Curve is a major Ethereum DEX specializing in stablecoin and pegged-asset swaps. In July 2023 a reentrancy bug in specific versions of the Vyper compiler exposed several Curve pools, leading to roughly $61.7M in losses.
- Peak
- ~$61.7M stolen
- Cause
- Hacked
- Year of death
- 2023
☠️ Cause of death
A malfunctioning reentrancy lock in certain Vyper compiler versions let attackers reenter pool functions the contracts assumed were protected.
📓 Lessons left behind
- —Your dependencies, including the compiler, are part of your attack surface.
- —Pin and audit toolchain versions, not just source code.
- —Reentrancy guards are worthless if the compiler emits them wrong.
🌱 The idea that survived
Toolchain auditing
Highlighted that smart-contract security must extend to compilers and build tooling.
#defi#reentrancy#compiler#ethereum