Curve Finance’s $62M exploit exposes larger issues for DeFi ecosystem

Hackers stole around $62 million from Curve Finance on Sunday, causing a ripple effect throughout the crypto sector and raising questions about the strength of the decentralized finance ecosystem.

Curve is one of the largest decentralized exchanges (DEX) in the crypto market today, with about $1.67 billion in total value locked (TVL), according to data on DeFi TVL aggregator DeFiLlama.

A handful of DeFi projects’ pools were also hacked, including PEGD’s pETH/ETH: $11 million; Metronome’s msETH/ETH: $3.4 million; Alchemix’s alETH/ETH: $22.6 million; and Curve DAO: around $24.7 million, according to LlamaRisk’s post-exploit assessment.

A bug found in older versions of the Vyper compiler contract programming language caused a failure in a security feature used by a handful of Curve liquidity pools. An admin in Curve Finance’s Telegram group declined to comment further to TechCrunch+ and referred us back to the post-exploit assessment.

By crypto standards, this wasn’t considered a “big” hack; Curve is a massive DEX, and this hack makes up about 4% of its TVL. A portion of the exploit was done by white hat hacker user c0ffeebabe.eth, who returned 2,879 ether, roughly $5.4 million, to Curve, according to on chain data.

But this exploit isn’t the only problem Curve — and the broader crypto space — is facing.