In response to the exploitation of a vulnerability within the Vyper programming language, the CRV share price fell by more than 30%. Many CRV holders chose to move their capital, causing a notable spike in on-chain activity and large deposits on exchanges.
CRV price plunges as 4 liquidity pools exploit
The Curve Finance decentralized finance protocol (DeFi) was attacked on July 30 due to a vulnerability in the Vyper programming language used by some of its liquidity pools. In response, the CRV share price plummeted from $0.72 to less than $0.5, recording a drop of over 30%.
Figure 1: Daily CRV price
The exploit resulted in tens of millions of dollars in losses for several liquidity pools: CRV-ETH, pETH-ETH, msETH/ETH and alETH/ETH.
The vulnerability exploited is a reentrance attack, which enables an attacker to use the function of a smart contract several times, even though it is only supposed to be called upon once.
In this case, the attacker was able to call a function in the Curve pool that allowed him to withdraw more tokens than he was supposed to. Curve Finance has acknowledged the problem and is working to resolve it and inform its community.
The reaction of CRV holders
In response to multiple attacks on Curve pools, misinformation and a climate of panic, many CRV holders chose to move their capital, either by withdrawing their CRVs from smarts contracts, or by selling them.
Following the announcement of the Vyper vulnerability and the first echoes of exploits, a considerable increase in Curve address activity was recorded.
Figure 2: Active CRV addresses
From 604 active addresses on July 29 to almost 5,000 active addresses two days later, the CRV token activity rate has increased 7-fold. This increase in activity, reflecting the urgency and panic of some, is also measurable via the number of transactions on Uniswap V3, which handles a significant majority of transactions in the DeFi sector.
While average activity was close to 40 transactions a day before July 30, it exceeded 2,600 daily transactions after the attacks were announced, a 70-fold increase.
Figure 3: Number of transactions on UniswapV3
This indicates that many CRV holders attempted to exchange their tokens for ETH, or any other token deemed more secure than CRV at the time. Finally, total transfer volume increased 57-fold, reaching almost 680 million CRVs transferred per day on July 30, compared with just 12 million the day before.
Figure 4: Total Transfer Volume
Although the CRVs moved by the attacker are also counted here, this clearly indicates that news of a damaging vulnerability for Curve has triggered a wave of distrust on a scale not seen since the FTX bankruptcy.
Significant CRV deposits on exchanges
In addition, large volumes of deposits were made on numerous centralized exchanges (CEX) very quickly after the news of the vulnerability in the Vyper compiler was broadcast.
In less than three days, almost 30 million CRVs were deposited on various CEXs, rising from an aggregated total of 94 million to over 125 million CRVs.
Figure 5: Net flow of CRVs to Exchanges
This influx of liquidity reflects the desire of some wary holders to get rid of their tokens, a decision that was catalyzed by the fall in the CRV price, accelerating the panic cycle.
On closer inspection, it seems that the majority of CRV tokens transferred to exchanges found refuge on Binance and Bitfinex, which accounted for over 60% of total inflows over the last three days.
Figure 6: CRV reserves on exchanges
It’s also worth mentioning that some exchanges, notably in the United States, have recorded significant CRV withdrawals. Indeed, Coinbase’s reserves have fallen by over 1.7 million CRVs since the attack, with no clear explanation available at present.
