Curve Finance (Vyper exploit)
A July 30, 2023 incident in which a compiler bug in older Vyper versions broke reentrancy protection, letting attackers drain several Curve pools and dependent protocols (Alchemix, JPEG'd, Metronome). Gross losses were ~$70M; white-hats and returns cut net losses to about $52M.
Also known as: Curve Finance, Vyper, CRV, Alchemix, JPEG'd
Summary
On July 30, 2023, attackers exploited a vulnerability not in Curve's own logic but in the Vyper smart-contract compiler: versions 0.2.15, 0.2.16, and 0.3.0 had a bug that disabled reentrancy protection. This allowed reentrancy attacks against several Curve stable/ETH pools and protocols that depended on them, including Alchemix, JPEG'd, and Metronome. [1][2]
Scale and recovery
Gross losses were estimated around $70 million across the affected pools. A significant share was recovered: white-hat actors (notably "c0ffeebabe.eth") front-ran or counter-exploited some pools and returned funds, and several attackers returned funds after Curve offered a 10% bounty. Net losses settled around $52 million, and the Curve DAO later voted to compensate affected liquidity providers. [1][2]
Bracketed numbers refer to the numbered sources listed below.
People & entities involved
Sources (2)
See also
- Loci (LOCIcoin)TokensA 2017–2018 ICO for 'LOCIcoin' tied to the InnVenn IP-search platform. The SEC charged Loci and CEO John Wise with fraud for raising $7.6M on false claims about revenue, headcount, and user base; Wise also misused investor funds. Settled with a $7.6M penalty and an officer/director bar.
- Blockchain Terminal (BCT)TokensA 2017–2018 ICO (BCT tokens, ~$30M) for a 'Blockchain Terminal' — a Bloomberg-style crypto trading terminal. The SEC and DOJ said convicted ex-hedge-funder Boaz Manor secretly ran it under a fake identity ('Shaun MacDonald'), using associate Edith Pardo as a front, and lied about the product's adoption.
- Crowd Machine (CMCT)Tokens
This page was last updated on Jun 8, 2026. View revision history.