Security & Audits
Share
On July 30, a significant security breach occurred on several stable pools on Curve Finance that employed Vyper, leading to staggering losses of over $47 million.
According to Vyper, their versions 0.2.15, 0.2.16, and 0.3.0 were found to be susceptible to malfunctioning reentrancy locks.
Vyper promptly responded to the incident, stating that an investigation into the matter was underway, and any projects relying on the aforementioned versions should urgently contact them.
Security firm Ancilia conducted an analysis of the affected contracts, revealing that 136 contracts utilized Vyper 0.2.15 with reentrant protection, 98 contracts employed Vyper 0.2.16, and 226 contracts utilized Vyper 0.3.0.
The preliminary findings indicate that certain versions of the Vyper compiler failed to correctly implement the reentrancy guard, which is designed to prevent multiple functions from executing simultaneously by locking a contract, according to Cointelegraph. Exploiting this vulnerability through reentrancy attacks enabled unauthorized access to and potential draining of funds from the contracts.
It is worth noting that Vyper is a contract-oriented programming language that resembles Python and targets the Ethereum Virtual Machine (EVM). Due to its similarities with Python, Vyper serves as an entry point for Python developers venturing into Web3 and smart contract development.
The attack significantly impacted several decentralized finance (DeFi) projects. Decentralized exchange Ellipsis reported that a few stable pools with BNB were exploited using an outdated Vyper compiler. Alchemix's alETH-ETH pool suffered a massive outflow of $13.6 million, while JPEGd's pETH-ETH pool saw $11.4 million being exploited.
Additionally, Metronome's sETH-ETH pool experienced a loss of $1.6 million. Furthermore, Michael Egorov, the CEO of Curve Finance, confirmed in a Telegram channel that 32 million CRV tokens, valued at over $22 million, were drained from the swap pool.
Nevertheless, as a result, the utility token of Curve Finance, experienced a decline of over 5% in its value.
Fortunately, according to Curve Finance, which operates as a DeFi protocol that facilitates the decentralized exchange of stablecoins on the Ethereum blockchain, the attack did not affect crvUSD contracts and any pools associated with it.
Despite this latest incident, the protocol has been the target of several attacks within its ecosystem. In fact, the DeFi space has experienced a surge in attacks over the past months. A report by De.Fi, a Web3 portfolio app, revealed that during the second quarter of 2023 alone, DeFi hacks and scams collectively swindled more than $204 million. These incidents underscore the growing security concerns and vulnerabilities within the DeFi sector.
The incident highlights the critical importance of stringent security measures and careful scrutiny of smart contracts in the DeFi space. As the investigation continues, developers and projects are urged to remain vigilant and proactively address potential vulnerabilities to prevent similar incidents in the future.
Disclaimer of Warranty
The information provided in this article is for general informational purposes only. We make no warranties about the completeness, reliability, and accuracy of this information. Read full disclaimer
Editor's Picks

Prediction Markets Face Their Regulatory Moment as ESMA Draws the Line
Walid Abou Zaki
Jul 5, 2026
8 min

FATF R.16 Consultation: What It Could Mean for Stablecoin Payments
Walid Abou Zaki
Jun 25, 2026
7 min

Inveniam to Acquire MANTRA After $20M Post-Crisis Bet
Walid Abou Zaki
Jun 17, 2026
8 min
Read More Articles
In the Same Space

Vitalik Buterin Outlines Ethereum's Biggest Technical Transformation Since the Merge
News Desk
Jul 6, 2026
3 min

Prediction Markets Face Their Regulatory Moment as ESMA Draws the Line
Walid Abou Zaki
Jul 5, 2026
8 min

DDSC NOC Puts UAE AED Stablecoins Under Market Test
Walid Abou Zaki
Jul 4, 2026
6 min

CLARITY Act Wins First Law Enforcement Support in Major Boost for Crypto Bill
News Desk
Jul 3, 2026
3 min