Hacks · July 30, 2023

Curve Finance pools drained for ~$70M via Vyper compiler reentrancy bug

Price at event

$29,283

Today

$73,577

Since then

×2.5

On July 30, 2023, multiple Curve Finance liquidity pools were drained for roughly $70 million after a malfunctioning reentrancy guard in Vyper compiler versions 0.2.15, 0.2.16, and 0.3.0 — a bug in the language itself rather than Curve's code — left pools like CRV/ETH, alETH-ETH, and pETH-ETH open to attack. The incident hit a foundational DeFi primitive and stoked broader contagion fears, though whitehat recoveries and partial returns eventually trimmed the net loss to roughly $50 million.

⸺ Sources ⸺

← Earlier

Judge Torres rules XRP programmatic sales are not securities in SEC v. Ripple

Later →

PayPal launches PYUSD, the first dollar stablecoin from a major US financial company

⸺ More from this category ⸺

Hacks

2026-04-19KelpDAO drained for ~$292M — largest DeFi hack of 2026$73,824 2026-04-01Drift Protocol exploited for ~$285M$68,108 2025-05-22Cetus Protocol drained of ~$223M on Sui$111,722 2025-02-21Bybit loses ~$1.5B to North Korean hackers in largest crypto heist ever$96,150