DESCRIPTION OF EVENTS
"Curve is a decentralized, UniSwap-like exchange for stablecoins. By focusing on stablecoins, it’s able to offer traders extremely low slippage, and liquidity providers enjoy little-to-no impermanent loss." "As is the case with many other decentralized finance protocols, Curve wasn’t fully decentralized at launch, run by the Curve team, led by Michael Egorov, the founder of NuCypher with a Ph.D. in Physics."
"Curve supports DAI, USDC, USDT, TUSD, BUSD and sUSD, as well as BTC pairs, and it lets you trade between these pairs extremely quickly and efficiently. When stablecoins or stable assets are involved, Curve’s prices are usually the best in the business."
“The key aspect of Curve is its market-making algorithm, which can provide 100-1000 times higher market depth than Uniswap or Balancer for the same total value locked. This dynamic helps both traders and liquidity providers because fundamental returns for those are higher than on Uniswap and alike by the same factor as the market depth.”
"Curve’s stablecoin swapping mechanism and yield integration mechanism has been audited by Trail of Bits."
"[T]he Curve contract had a critical (but not exploited) vulnerability which allowed anyone to drain the smart contract." "[S]ubmitting an exchange of some asset into the same asset, essentially, drains this asset. Anyone could do it."
"In this situation, it was decided to deploy a new version (which was brewing anyway) with newer and better parameters and other good changes, such as more advanced logging, and the fix in question, however without disclosing the fix in question publicly on github. Or, at least, before LPs migrate the funds. As most trades were going from 1inch.exchange, they were able to switch to the new contract within 10 minutes, leaving the old, vulnerable, contract without profits beyond Compound interest."
"Immediately after deploying the new contract and UI, more than 50% of funds were migrated over even before the official announcement. The rest of the migration took 3 days."
"In conclusion, the contract was fixed."
An original version of the Curve Finance protocol had an exploit which would allow the protocol to be drained by an attacker. This was not exploited, but instead was caught before the contract was deployed.
HOW COULD THIS HAVE BEEN PREVENTED?
Decentralized Finance will eventually tend towards full security. However, like hot wallets, it is impossible to have certainty of fund security when stored in a smart contract.
Finding potential issues may be possible with audits, and it's also possible to insure assets via smart contract insurance platforms. However, at the moment, these insurance platforms have also fallen victim to being exploited themselves multiple times.
In our framework, we have proposed a unique insurance model which protects investors through a collective insurance fund.
Vulnerability disclosure: the discovery and the rescue (Jun 21)
@curvefinance Twitter (May 24)
Curve Finance Shuts Down yv2 Pool After Finding Vulnerability - Decrypt (May 24)
Curve Finance Shuts Down yv2 Pool After Finding Vulnerability – Decrypt – CoinCap (May 24)
List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community (Jun 22)
Curve Vulnerability Report (May 24)