Curve Finance Loss Event (30 July 2023) | Claims Guide

Summary

On 30 July 2023, a vulnerability within the Vyper codebase for versions 0.2.15, 0.2.16 and 0.3.0 was exploited within select Curve Finance pools. This vulnerability allowed an attacker to bypass the re-entrancy guards and drain funds from the JPEG’d (pETH/ETH), Alchemix (alETH/ETH), Metronome (msETH/ETH), and Curve (CRV/ETH) pools.

At this time, the total loss amount is not clear, as some whitehats and MEV bots have rescued funds, with some funds being returned to the Curve team, AND some funds are still outstanding. The total amount realized by the blackhat attacker may not be confirmed until the Curve Finance team shares their post-mortem report and provides clarity on potential reimbursement for affected users.

We recommend members wait to file claims until more information is available, so Claim Assessors can accurately determine loss and factor in potential reimbursement amounts.

Claim Filing Timeline

Members who held active Curve Finance Protocol Cover when the hacks occurred may file a claim request, if those members suffered a loss due to the hack(s), once the 72-hour cool-down period passes. Members can submit their claims during the cover period or up to 35 days after the cover period ends.

For claim filing purposes, we will use the first attack as the start of the 72-hour cool-down period. The first attack occurred at 1:10pm UTC on 30 July 2023.

• Claims filing will open on Wednesday (2 August 2023) at 1:11pm UTC
  • We recommend members wait to file claims until more information is available, so Claim Assessors can accurately determine loss and factor in potential reimbursement amounts.

Reimbursement

Members who successfully submit and redeem their claims, and are subsequently able to recover their losses from Curve Finance or any other third party, are requested to notify [email protected] and promptly reimburse Nexus Mutual for any redeemed claims under the Curve Finance Protocol Cover.

For Members Planning on Filing Claims

If you held an active Curve Finance Protocol Cover when the loss event occurred AND you suffered a loss due to the hack, you may file a claim request in the Nexus Mutual UI as from Wednesday (2 August 2023) at 1:11pm UTC.

You can check the Curve Finance Covers and Claims Tracker to see if your cover was active at the time the loss event occurred.

When you are ready to file your claim, you can head to the Nexus Mutual user interface and begin the process. If you have any issues, you can head to the Nexus Mutual Discord, create a post in the DAO forums channel with the Claims and Curve Finance tags, and start a conversation. Or, you can head to the Open A Ticket channel and open a support ticket.

You can review the Nexus Mutual V2 documentation to review the Protocol Cover claims process and the Claim Assessment process ahead of claims filing.

Proof of Loss

For Protocol Cover claims, you will need to prove that you lost funds due to the exploit by signing a message from the affected address during the claims filing process.

• A signed transaction is required to confirm the member filing the claim is the same person who owns the affected address when the affected address is different from the registered member address
• If the affected address is the same as your membership address, you will not need to sign a message and instead can proceed through the claim process.

You will also be able to include written details, links to supporting documentation, and/or upload screenshots or other files in the Incident Details portion of the claim submission process.

See the full Protocol Cover wording v1.0 for more information.

Calculating your loss amount ahead of claims filing

When you file your claim, you will need to enter the requested claim amount on the Incident Details page. This will be your actual loss amount. If that amount is less than your total covered amount, you will be filing a partial claim.

If you need help determining your loss amount, please head to the Open A Ticket channel in the Nexus Mutual Discord and open a support ticket. BraveNewDeFi or Sem will be able to help you calculate your loss.

Claims Support

If you have any questions about claims filing, proof of loss, or any other aspect of the upcoming claim event, please reach out in the Nexus Mutual Discord for support.

Resources

• Llama Risk’s Curve Pool Reentrancy Exploit Postmortem July 30th, 2023
• BraveNewDeFi’s summary of the Curve Finance exploit
• JPEG’d announcement
• Alchemix announcement
• Curve announcement
• Curve warning to withdraw from TriCrypto pool
• Vyper announcement
• CoinDesk news coverage. First Mover Americas: Curve Finance Exploit Puts More Than $100M of Crypto at Risk
• Decrypt news coverage. DeFi Exchange Curve Finance Confirms Various Ethereum Pools Hacked
• Blockworks news coverage. Curve suffers $70M exploit, but damage contained
• The Defiant news coverage. Over $70M Stolen From Multiple DeFi Protocols Due To Vyper Code Bug

Update as of 7 August 2023

Alchemix alETH/ETH Curve pool

The attacker who drained the alETH/ETH Curve pool has returned all funds to the Alchemix team. Following this update, the Alchemix team shared:

We are currently working on a full post mortem and a recovery plan which will be announced in due course.

JPEG’d pETH/ETH Curve pool

The JPEG’d team shared that the attacker has returned:

5,494.4 WETH back to the JPEG’d Multisig for a total of 5,495.4 WETH. A 10% white-hat bounty of 610.6 WETH was awarded to the owner of the address that recovered funds from the pETH exploit.

They’ve also provided an update:

We will share a timeline of events related to the pETH exploit and recovery in the near future.

Metronome msETH/ETH pool

The Metronome team shared the following update:

We have managed to recover a significant portion of the exploited funds and will be continuing efforts to recover the remainder.

Our next step will be finalizing our recovery plan with the goal of making LPs as whole as possible. Therefore, we have established a new msETH/WETH pool that has been initially seeded with liquidity and will continue to be ramped up over the next 10 days. The recovery plan will include how LPs can claim a position on this new pool.

In deploying this new msETH/WETH pool, we have been able to resume Metronome Mainnet operations. Users are once again able to manage their Metronome Synth and Smart Farming positions.

We will share more information as it becomes available.

Curve Finance CRV/ETH pool

As of this update, c0ffeebabe.eth, the owner of the MEV bot who was able to save some of the exploited funds, returned 2,879.54 ETH ($5.4m) to the Curve deployer.

After sending multiple messages to the blackhat who drained funds from the CRV/ETH pool, the Curve team has now put out a $1.85m bounty for anyone that provides information that can be used to identify the exploiter.

After the initial two exploits on the CRV/ETH pool, a whitehat rescue was successful in removing the remaining vulnerable funds left in the pool, per the Curve team’s update.

Vyper Nonreentrancy Lock Vulnerability Technical Post-Mortem Report

The Vyper team has published their post-mortem report on the nonreentrancy lock vulnerability, which members can review.

Below is the TL;DR the Vyper team provided:

versions affected: v0.2.15, v0.2.16, v0.3.0
vulnerability in brief: cross-function re-entrancy is possible on contracts compiled with the susceptible versions

Reimbursement from Alchemix, JPEG’d, Metronome, and Curve Finance

Since funds have been recovered–in some cases, all funds, and in other cases, partial funds (so far)–it is clear that teams are working to reimburse affected users directly and those plans are forthcoming.

As more information becomes available, I’ll provide updates in this thread.