defirisk.co
rubric v1.7.0

Curve LlamaLend: Empty-market donation attack on a freshly-listed lending market

Same root-cause class as the Venus zkSync Era incident () and the 2026-03-15 Venus BNB Chain incident — donation attack on a fresh, low-TVL lending market without first-depositor protection.

Occurred 2026-03-02 Loss $240K Status closed

Summary #

Curve LlamaLend suffered a Lending (LlamaLend on Curve infrastructure) on 2026-03-02, resulting in a loss of approximately $240K.

What happened #

Same root-cause class as the Venus zkSync Era incident () and the 2026-03-15 Venus BNB Chain incident — donation attack on a fresh, low-TVL lending market without first-depositor protection.

Linked factors #

  • RD-F-070 — related : Same empty-market donation pattern as Venus zkSync incident
  • RD-F-074 — related : _decimalsOffset() returning 0 + no virtual deposit; same ERC-4626 first-depositor config error as Venus
  • RD-F-084 — related : Auto-linked by C.4 triage 2026-05-07
  • RD-F-143 — illustrative : LlamaLend factory did not back-port the first-depositor fix from mainnet Venus / Compound III