Glossary
Curve Vyper Hack (2023)
The July 2023 exploit of multiple Curve pools — caused by a Vyper compiler bug that broke reentrancy guards in versions 0.2.15–0.3.0, draining ~$73 million.
On July 30, 2023, multiple Curve Finance liquidity pools were drained simultaneously. The root cause was a Vyper compiler bug that caused certain reentrancy guards to malfunction in Vyper versions 0.2.15, 0.2.16, and 0.3.0. Pools using Vyper >= 0.3.1 were unaffected.
Affected pools included alETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH. Total losses reached ~$73 million. White-hat MEV searcher coffeebabe.eth countered some of the attack and returned funds. Curve, Convex, and several lending markets with CRV collateral experienced significant secondary stress.