On 30 July 2023, a vulnerability within the Vyper codebase for versions 0.2.15, 0.2.16 and 0.3.0 was exploited within select Curve Finance pools. This vulnerability allowed an attacker to bypass the re-entrancy guards and drain funds from the JPEG’d (pETH/ETH), Alchemix (alETH/ETH), Metronome (msETH/ETH), and Curve (CRV/ETH) pools.
At this time, the total loss amount is not clear, as some whitehats and MEV bots have rescued funds, with some funds being returned to the Curve team, AND some funds are still outstanding. The total amount realized by the blackhat attacker may not be confirmed until the Curve Finance team shares their post-mortem report and provides clarity on potential reimbursement for affected users.
We recommend members wait to file claims until more information is available, so Claim Assessors can accurately determine loss and factor in potential reimbursement amounts.
Members who held active Curve Finance Protocol Cover when the hacks occurred may file a claim request, if those members suffered a loss due to the hack(s), once the 72-hour cool-down period passes. Members can submit their claims during the cover period or up to 35 days after the cover period ends.
For claim filing purposes, we will use the first attack as the start of the 72-hour cool-down period. The first attack occurred at 1:10pm UTC on 30 July 2023.
- Claims filing will open on Wednesday (2 August 2023) at 1:11pm UTC
- We recommend members wait to file claims until more information is available, so Claim Assessors can accurately determine loss and factor in potential reimbursement amounts.
Members who successfully submit and redeem their claims, and are subsequently able to recover their losses from Curve Finance or any other third party, are requested to notify [email protected] and promptly reimburse Nexus Mutual for any redeemed claims under the Curve Finance Protocol Cover.
If you plan on staking NXM and acting as a Claim Assessor, you can read through the Claim Assessment section in the Nexus Mutual documentation.
All of the Curve Finance Protocol Covers that were active when the attack happened were under the Protocol Cover wording v1.0. Any members who file claims must provide cryptographic evidence that links ownership of the impacted account to the Covered Member’s account that is submitting the claim, where the impacted account shows a material loss was suffered by the member.
You can check the Curve Finance Covers and Claims Tracker to see the covers that were active at the time the loss event occurred.
As a reminder: Cover is provided on a discretionary basis with Nexus Mutual members having the final say on which claims are paid.
As a Claim Assessor, you must review the validity of a submitted claim request and vote based on your understanding of the cover wording and the evidence submitted by members who file claim requests.
- If you believe a claim is valid, then you can vote to Approve
- If you believe a claim is not valid, then:
- If no Approve votes have been cast, you do not have to do anything. If a claim submission receives no votes during the 72-hour voting period, it will automatically be denied
- If at least one (1) or more Approve votes have been cast, you can vote to Deny
See the Claim Assessment process section in the Nexus Mutual documentation for more information. If you have never participate as a Claim Assessor, please review this section of the documentation.
During the cool-down period, claim outcomes can be reviewed if fraudulent voting is suspected. If the Advisory Board finds a claim assessor to have voted to deny a legitimate claim or approve an illegitimate claim, then a fraud penalty can be imposed. The Advisory Board can submit a merkle-tree root hash representing the fraudulent voter and their assessment stake. The fraudulent vote is reversed and the fraudulent assessor’s stake is burned.
Once the Advisory Board submits the merkle-tree root hash, anyone can process the fraud penalty. By processing the fraud penalty, a member is executing the transaction that burns the assessor’s stake and reverses their fraudulent vote.
If you submit a fraudulent claim assessment vote, you risk losing the NXM you stake in the Claim Assessment process. See the Nexus Mutual documentation for more information.
Claim Assessors can review the available analysis ahead of claims filing. At this time, members are waiting for more information to be released including the Curve team post-mortem report and guidance on potential reimbursement for affected Curve pools, where funds have been returned to date.
The following is provided for your convenience. Feel free to add additional information in the comments.
- Llama Risk’s Curve Pool Reentrancy Exploit Postmortem July 30th, 2023
- BraveNewDeFi’s summary of the Curve Finance exploit
- JPEG’d announcement
- Alchemix announcement
- Curve announcement
- Curve warning to withdraw from TriCrypto pool
- Vyper announcement
- Hexagate analysis
- Taylor Monahan loss summary
- CoinDesk news coverage. First Mover Americas: Curve Finance Exploit Puts More Than $100M of Crypto at Risk
- Decrypt news coverage. DeFi Exchange Curve Finance Confirms Various Ethereum Pools Hacked
- Blockworks news coverage. Curve suffers $70M exploit, but damage contained
- The Defiant news coverage. Over $70M Stolen From Multiple DeFi Protocols Due To Vyper Code Bug