The decentralized finance (DeFi) community of Curve Finance has made a significant decision to compensate a liquidity provider who lost $61 million in a hack in July. Following a community vote, it was agreed that over $49.2 million in various tokens would be paid to cover the losses. The vote, which saw 94% of token holders in favor, took place on December 21. The reimbursement plan includes compensation in Curve (CRV), JPEG'd (JPEG), Alchemix (ALCX), and Metronome (MET) tokens.
The method for calculating the losses was comprehensive, taking into account both the Ethereum and CRV tokens that were present in the pool before the hack. It also included the CRV emissions that should have been distributed to the liquidity providers during the intervening months. As per Curve’s proposal, the compensation would be made using Curve DAO (CRV) tokens from the community fund. The final compensation amount also considered the tokens that were recovered after the hacking incident. The proposal detailed the specific amounts for withdrawal and distribution, including over 5,919 ETH and approximately 34.7 million CRV, totaling around 55.5 million CRV tokens.
The hack, which occurred on July 30, led to heightened security scrutiny across multiple DeFi protocols. Concerns were raised about the potential broader impact of the vulnerability on the entire crypto ecosystem. At the time of the incident, Curve's total value locked (TVL) was close to $4 billion. The affected pools included alETH/ETH, pETH/ETH, msETH/ETH, and CRV/ETH.
In their proposal, Curve acknowledged that while the stolen funds from each pool were either fully or partially recovered, MEV (Maximum Extractable Value) bots caused a shortfall in all affected pools. The remediation proposal aimed to ensure that the impacted limited partners were made whole. This step was seen as a move to restore trust and stability in the Curve Finance ecosystem.
The exploit was traced to vulnerabilities in stable pools that utilized certain versions of the Vyper programming language. Vyper, favored by many DeFi protocols for its compatibility with the Ethereum Virtual Machine, had specific versions that were susceptible to reentrancy attacks. The vulnerable versions identified were 0.2.15, 0.2.16, and 0.3.0. This incident highlighted the need for continuous vigilance and rigorous security protocols in the DeFi space.
