The Curve Finance lending protocol has recently taken significant steps to address the vulnerabilities and exploits it faced in July. In response to the July 30 Curve exploit and the July 6 Multichain exploit, the protocol has terminated governance token rewards for certain liquidity pools. This decision was made public on August 2 by a member of the protocol’s governing body, Gabriel Shapiro.
The termination of rewards was carried out by the Curve Emergency decentralized autonomous organization (Curve E-DAO), which consists of select members of the Curve DAO governing body. The affected pools include alETH+ETH, msETH-ETH, pETH-ETH, crvCRVETH, Arbitrum Tricrypto, and multibtc3CRV, as mentioned in the official announcement. However, it is important to note that the decision can be reversed in the future if the Curve DAO conducts a full vote.
The incidents leading up to this decision were particularly concerning. On July 6, a substantial amount of cryptocurrency, amounting to over $100 million, was withdrawn from various bridges associated with the Multichain protocol. The Multichain team characterized these withdrawals as “abnormal” and advised users to halt their use of Multichain. In response to this, the Curve team also warned its users to withdraw assets such as multiBTC, indicating that their own multibtc3CRV liquidity pool was at risk.
Subsequently, on July 14, the Multichain team revealed that the withdrawals were triggered by an unknown individual who had managed to access the CEO’s cloud computing account, leading to the exploitation of funds that might never be recovered.
Curve Finance hack
As if that wasn’t enough, on July 30, Curve Finance itself fell victim to a reentrancy attack that resulted in the loss of over $47 million worth of cryptocurrency. The attack targeted the alETH, msETH, and pETH pools, which were vulnerable due to their use of the Vyper protocol containing the exploitable vulnerability. Other pools created through different means were unaffected.
Despite these significant exploits and vulnerabilities, the affected pools continued to generate Curve DAO (CRV) governance token rewards, allowing users to earn CRV by depositing their tokens into these compromised pools. However, the August 2 announcement indicated that the emergency DAO has taken action by ceasing these rewards to prevent further incentivization of participation in the vulnerable pools.
It is essential to highlight that the crypto space continues to face challenges, and investors have suffered losses due to hacks and scams during July and August. Notably, payment provider Alphapo allegedly lost more than $60 million on July 23, reportedly due to an attacker gaining access to the company’s hot wallet private keys. While the company has not officially confirmed the attack, analysis by on-chain investigators suggests the transfers were abnormal and likely the result of a hack. Additionally, on July 25, zkSync was exploited for $3.4 million due to a read-only reentrancy bug.