Curve Finance Loss Event (30 July 2023) | Claim Assessment Guide

Curve Finance Loss Event (30 July 2023) | Claim Assessment Guide


On 30 July 2023, a vulnerability within the Vyper codebase for versions 0.2.15, 0.2.16 and 0.3.0 was exploited within select Curve Finance pools. This vulnerability allowed an attacker to bypass the re-entrancy guards and drain funds from the JPEG’d (pETH/ETH), Alchemix (alETH/ETH), Metronome (msETH/ETH), and Curve (CRV/ETH) pools.

At this time, the total loss amount is not clear, as some whitehats and MEV bots have rescued funds, with some funds being returned to the Curve team, AND some funds are still outstanding. The total amount realized by the blackhat attacker may not be confirmed until the Curve Finance team shares their post-mortem report and provides clarity on potential reimbursement for affected users.

We recommend members wait to file claims until more information is available, so Claim Assessors can accurately determine loss and factor in potential reimbursement amounts.

Claim Filing Timeline

Members who held active Curve Finance Protocol Cover when the hacks occurred may file a claim request, if those members suffered a loss due to the hack(s), once the 72-hour cool-down period passes. Members can submit their claims during the cover period or up to 35 days after the cover period ends.

For claim filing purposes, we will use the first attack as the start of the 72-hour cool-down period. The first attack occurred at 1:10pm UTC on 30 July 2023.

  • Claims filing will open on Wednesday (2 August 2023) at 1:11pm UTC
    • We recommend members wait to file claims until more information is available, so Claim Assessors can accurately determine loss and factor in potential reimbursement amounts.


Members who successfully submit and redeem their claims, and are subsequently able to recover their losses from Curve Finance or any other third party, are requested to notify [email protected] and promptly reimburse Nexus Mutual for any redeemed claims under the Curve Finance Protocol Cover.

For Members Planning on Acting as Claim Assessors

If you plan on staking NXM and acting as a Claim Assessor, you can read through the Claim Assessment section in the Nexus Mutual documentation.

All of the Curve Finance Protocol Covers that were active when the attack happened were under the Protocol Cover wording v1.0. Any members who file claims must provide cryptographic evidence that links ownership of the impacted account to the Covered Member’s account that is submitting the claim, where the impacted account shows a material loss was suffered by the member.

You can check the Curve Finance Covers and Claims Tracker to see the covers that were active at the time the loss event occurred.

As a reminder: Cover is provided on a discretionary basis with Nexus Mutual members having the final say on which claims are paid.

Assessing the validity of claims & voting

As a Claim Assessor, you must review the validity of a submitted claim request and vote based on your understanding of the cover wording and the evidence submitted by members who file claim requests.

  • If you believe a claim is valid, then you can vote to Approve
  • If you believe a claim is not valid, then:
    • If no Approve votes have been cast, you do not have to do anything. If a claim submission receives no votes during the 72-hour voting period, it will automatically be denied
    • If at least one (1) or more Approve votes have been cast, you can vote to Deny

See the Claim Assessment process section in the Nexus Mutual documentation for more information. If you have never participate as a Claim Assessor, please review this section of the documentation.

Fraudulent vote submission & Advisory Board actions

During the cool-down period, claim outcomes can be reviewed if fraudulent voting is suspected. If the Advisory Board finds a claim assessor to have voted to deny a legitimate claim or approve an illegitimate claim, then a fraud penalty can be imposed. The Advisory Board can submit a merkle-tree root hash representing the fraudulent voter and their assessment stake. The fraudulent vote is reversed and the fraudulent assessor’s stake is burned.

Once the Advisory Board submits the merkle-tree root hash, anyone can process the fraud penalty. By processing the fraud penalty, a member is executing the transaction that burns the assessor’s stake and reverses their fraudulent vote.

If you submit a fraudulent claim assessment vote, you risk losing the NXM you stake in the Claim Assessment process. See the Nexus Mutual documentation for more information.


Claim Assessors can review the available analysis ahead of claims filing. At this time, members are waiting for more information to be released including the Curve team post-mortem report and guidance on potential reimbursement for affected Curve pools, where funds have been returned to date.

The following is provided for your convenience. Feel free to add additional information in the comments.

Update as of 7 August 2023

Alchemix alETH/ETH Curve pool

The attacker who drained the alETH/ETH Curve pool has returned all funds to the Alchemix team. Following this update, the Alchemix team shared:

We are currently working on a full post mortem and a recovery plan which will be announced in due course.

JPEG’d pETH/ETH Curve pool

The JPEG’d team shared that the attacker has returned:

5,494.4 WETH back to the JPEG’d Multisig for a total of 5,495.4 WETH. A 10% white-hat bounty of 610.6 WETH was awarded to the owner of the address that recovered funds from the pETH exploit.

They’ve also provided an update:

We will share a timeline of events related to the pETH exploit and recovery in the near future.

Metronome msETH/ETH pool

The Metronome team shared the following update:

We have managed to recover a significant portion of the exploited funds and will be continuing efforts to recover the remainder.

Our next step will be finalizing our recovery plan with the goal of making LPs as whole as possible. Therefore, we have established a new msETH/WETH pool that has been initially seeded with liquidity and will continue to be ramped up over the next 10 days. The recovery plan will include how LPs can claim a position on this new pool.

In deploying this new msETH/WETH pool, we have been able to resume Metronome Mainnet operations. Users are once again able to manage their Metronome Synth and Smart Farming positions.

We will share more information as it becomes available.

Curve Finance CRV/ETH pool

As of this update, c0ffeebabe.eth, the owner of the MEV bot who was able to save some of the exploited funds, returned 2,879.54 ETH ($5.4m) to the Curve deployer.

After sending multiple messages to the blackhat who drained funds from the CRV/ETH pool, the Curve team has now put out a $1.85m bounty for anyone that provides information that can be used to identify the exploiter.

After the initial two exploits on the CRV/ETH pool, a whitehat rescue was successful in removing the remaining vulnerable funds left in the pool, per the Curve team’s update.

Vyper Nonreentrancy Lock Vulnerability Technical Post-Mortem Report

The Vyper team has published their post-mortem report on the nonreentrancy lock vulnerability, which claim assessors can review.

Below is the TL;DR the Vyper team provided:

versions affected: v0.2.15, v0.2.16, v0.3.0
vulnerability in brief: cross-function re-entrancy is possible on contracts compiled with the susceptible versions

Reimbursement from Alchemix, JPEG’d, Metronome, and Curve Finance

Since funds have been recovered–in some cases, all funds, and in other cases, partial funds (so far)–it is clear that teams are working to reimburse affected users directly and those plans are forthcoming.

As more information becomes available, I’ll provide updates in this thread.