Curve Finance factory pools targeted due to reentrancy vulnerability

Quick Take

  • Factory pools on Curve Finance faced a reentrancy vulnerability, a security flaw allowing potential funds drain from interrupted contract calls.
  • Large outflows were linked to a series of interactions starting with a flashloan, exploiting the reentrancy vulnerability in specific Vyper compiler versions.

Factory pools on Curve Finance have been confronted with a reentrancy vulnerability, a critical security flaw that arises when a contract's external call is interrupted and called back before its completion, potentially allowing attackers to maliciously drain funds or exploit the contract's logic. This vulnerability led to significant outflows across various associated pools, amounting to over $26 million. 

According to security analysts at Beosin, the attacker targeted Curve's factory pools of multiple projects: JPEGd, Metronome and Alchemix.

JPEGd’s pETH-ETH factory pool on Curve saw an outflow of $11.4 million. Following closely, the Metronome’s sETH-ETH pool saw a movement of $1.6 million. However, it was the Alchemix’s alETH-ETH pool that witnessed the most significant activity, with a substantial $13.6 million being transacted. 

So far, overall asset outflows related to this security incident on Curve pools have crossed $41 million, according to estimates from security firm BlockSec.

Curve Finance is a decentralized exchange (DEX) optimized for efficient stablecoin trading. Over time, it has expanded its offerings to cater to other types of assets. Factory pools describe a system where new liquidity pools can be created using a standardized framework or “factory.” Instead of the Curve team manually creating each pool, this system offers a more permissionless approach, enabling projects or individuals to launch their own liquidity pools leveraging Curve’s infrastructure.

Vyper version vulnerabilities


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy