A Deep Dive Into How Curve Pool’s $70 Million Reentrancy Exploit Was Possible

The recent Curve Pool Exploit is different from the majority of cryptocurrency hacks that we’ve seen happen in the last few years because unlike many of the previous exploits, this one is not directly related to a vulnerability of the smart contract itself, but rather, the underlying compiler of the language that it was written in.

In this case, we’re talking about Vyper: a smart contract-oriented Pythonic programming language designed to interact with the Ethereum Virtual Machine (EVM). The circumstances surrounding this exploit fascinated me so I wanted to do a deep dive into what allowed this exploit to happen in the first place.

As the exploit unfolded, headlines kept reporting new numbers every day. It seems that the situation has finally been contained, but not before over $70 million U.S. Dollars were stolen. As of today, several DeFi projects’ pools were also hacked, including PEGD’s pETH/ETH: $11 million; Metronome’s msETH/ETH: $3.4 million; Alchemix’s alETH/ETH: $22.6 million; and Curve DAO: around $24.7 million, according to LlamaRisk’s post-exploit assessment.

The exploit is known as a reentrancy malfunction, that was made possible on certain versions of the Vyper programming language, specifically v0.2.15, v0.2.16 and v0.3.0. Therefore all projects…