The Curve Finance (CRV) lending protocol has terminated governance token rewards for select liquidity pools affected by the July 30 Curve exploit and July 6 Multichain exploit, according to an August 2 social media post from a member of the protocol’s governing body.
The ending of rewards was carried out by the Curve emergency decentralized autonomous organization (Curve E-DAO), a committee made up of select members of the Curve DAO governing body. It affected pools for alETH+ETH, msETH-ETH, pETH-ETH, crvCRVETH, Arbitrum Tricrypto, and multibtc3CRV, according to the announcement. The decision can be overridden in the future by a full vote of Curve DAO.
The change was announced by Curve E-DAO member Gabriel Shapiro.
ATTENTION, FROM A CURVE E-DAO SIGNER:
The @CurveFinance emergency multisig has terminated CRV rewards (gauges) to the liquidity pools affected by recent exploits, including pools affected by the recent Vyper compiler exploit and the multiBTC pool affected by the recent…
— _gabrielShapir0 (@lex_node) August 2, 2023
On July 6, over $100 million worth of cryptocurrency was withdrawn from a number of bridges that were part of the Multichain protocol. The Multichain team stated that the withdrawals were “abnormal” and that users should stop using Multichain. At the time, the Curve team warned its users to “Exit multichain assets such as multiBTC (including the pool),” implying that its own multibtc3CRV liquidity pool was at risk from the Multichain incident.
On July 14, the Multichain team stated that the withdrawals had been caused by an unknown individual who had gained access to their CEOs cloud computing account, implying that the funds had been exploited and may never be returned.
On July 30, Curve Finance itself was the victim of a reentrancy attack. Over $47 million worth of crypto was lost in the exploit. The attack affected the alETH, msETH, and pETH pools, as these were created using the Vyper protocol that contained the vulnerability. Other Curve pools not created through Vyper were unaffected.
Despite these exploits, the affected pools still produced CRV governance token rewards. This meant that users could still deposit their tokens into the pools to earn CRV. In the August 8 announcement, Shapiro stated that the emergency DAO has now removed these rewards in order to “avoid incentivizing further participation in these compromised pools.”
Investors have continued to suffer from hacks and scams in July and August. Payment provider Alphapo allegedly lost over $60 million on July 23 due to an attacker gaining access to its hot wallet private keys. The company has not confirmed the alleged attack, but on-chain sleuths have argued that the transfers are abnormal and probably the result of a hack. On July 25, zkSync was also exploited for $3.4 million due to a read-only reentrancy bug.