Curve Finance (multiple pools) + JPEG'd, Alchemix, Metronome: Compiler-Level Reentrancy Guard Failure (Vyper 0.2.15–0.3.0 Bug)
A hidden compiler bug in Vyper versions 0.2.15–0.3.0 silently disabled reentrancy guards in Curve's ETH pools since 2021, allowing attackers to drain $69M across four pools in a single day when the bug was finally discovered and weaponized.
Summary #
Curve Finance (multiple pools) + JPEG'd, Alchemix, Metronome suffered a DEX / AMM (Liquidity Pool) on 2023-07-30, resulting in a loss of approximately $69M.
What happened #
A hidden compiler bug in Vyper versions 0.2.15–0.3.0 silently disabled reentrancy guards in Curve's ETH pools since 2021, allowing attackers to drain $69M across four pools in a single day when the bug was finally discovered and weaponized.
Linked factors #
- RD-F-004 — related : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — compiler-level; no audit reviews compiler correctness]