Curve Finance factory pools targeted due to reentrancy vulnerability

Quick Take

  • Factory pools on Curve Finance faced a reentrancy vulnerability, a security flaw allowing potential funds drain from interrupted contract calls.
  • Large outflows were linked to a series of interactions starting with a flashloan, exploiting the reentrancy vulnerability in specific Vyper compiler versions.

Factory pools on Curve Finance have been confronted with a reentrancy vulnerability, a critical security flaw that arises when a contract's external call is interrupted and called back before its completion, potentially allowing attackers to maliciously drain funds or exploit the contract's logic. This vulnerability led to significant outflows across various associated pools, amounting to over $26 million. 

According to security analysts at Beosin, the attacker targeted Curve's factory pools of multiple projects: JPEGd, Metronome and Alchemix.

JPEGd’s pETH-ETH factory pool on Curve saw an outflow of $11.4 million. Following closely, the Metronome’s sETH-ETH pool saw a movement of $1.6 million. However, it was the Alchemix’s alETH-ETH pool that witnessed the most significant activity, with a substantial $13.6 million being transacted. 

So far, overall asset outflows related to this security incident on Curve pools have crossed $41 million, according to estimates from security firm BlockSec.

Curve Finance is a decentralized exchange (DEX) optimized for efficient stablecoin trading. Over time, it has expanded its offerings to cater to other types of assets. Factory pools describe a system where new liquidity pools can be created using a standardized framework or “factory.” Instead of the Curve team manually creating each pool, this system offers a more permissionless approach, enabling projects or individuals to launch their own liquidity pools leveraging Curve’s infrastructure.

Vyper version vulnerabilities


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Today’s outflows involved a sequence of interactions. They began with a flashloan, which appeared to exploit the reentrancy vulnerability associated with certain older compiler versions of Vyper – the smart contract programming language used to write the code for these factory pools, as explained by Igor Igamberdiev, the head of research at Wintermute. 

Vyper has acknowledged that its versions 0.2.15, 0.2.16, and 0.3.0 are vulnerable to malfunctioning reentrancy locks, with investigations ongoing.

While the immediate reaction was dominated by concerns of a massive security breach, on-chain data suggests that MEV bots might have front-run some of these transactions. This has led to speculation that whitehat hackers could be involved.

"We're running a large white hat rescue operation. Please reach out if you think you're affected as a project," a security researcher who goes by the pseudonym ‘pcaversaccio’ announced on Twitter. 

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Authors

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]
Frank Chaparro is the Editor At Large at The Block. Chaparro started his career at Business Insider, where he specialized in the intersection of digital assets and Wall Street, market structure, and financial technology. Soon after joining Business Insider out of Fordham University, Chaparro was interviewing top finance and tech executives, including billionaire Mark Cuban, “Flash Boys” star Brad Katsuyama, Cboe Global Markets CEO Ed Tilly, and New York Stock Exchange President Tom Farley. In 2018, he become a sought after reporter in the crypto world, interviewing luminaries such as Tyler Winklevoss, the cofounder of Gemini, Jeremy Allaire, the CEO of Circle, and Fundstrat head Tom Lee. He runs his own podcast The Scoop and writes a biweekly eponymous newsletter. He leads special projects, including The Block's flagship podcast, The Scoop. Prior to The Block, he held roles at Business Insider, NPR, and Nasdaq. For inquiries or tips, email [email protected].