Notum logo





How-to Guide

Tokens & Coins

Product Updates






What’s Happened to Curve?: Decoded by Notum

By Notum

Aug 24, 20238 min read


What Is Curve?

Curve Finance is one of the most popular decentralized exchanges ranked second place according to its TVL and third by trading volume among all the DEXs, as DefiLlama claims. 

Curve uses liquidity pools where people combine and lock their assets in a smart contract. The locked assets gears the trade of different cryptocurrencies on the platform by providing liquidity. Liquidity providers receive periodic rewards on their assets locked up in the liquidity pools. Thus, liquidity pools help decentralized exchanges like Curve Finance to operate.

The Curve was launched in 2020 as a StableSwap exchange. It started to gain popularity among traders and liquidity providers. The main reason was low commissions and slippage levels while trading assets. These advantages are achieved thanks to the unique mechanism StableSwap Invariant. This AMM model includes pools consisting of at least 2 or more tokens. The tokens included in the pool are referred to as pegged assets and represent assets with the same price. Such stablecoins as USDT, USDC, DAI, and wrapped assets — WBTC, and sBTC reflect this concept.

Changes in tokens proportion in the liquidity pool could be shown in the form of hyperbola as in the graph:

Source: Curve Whitepaper

As the stablecoins and wrapped tokens pools don’t have impermanent losses, Curve started attracting liquidity providers including whales who were looking for relatively risk-free platform for getting income. At the same time, traders were interested in low slippage trading. All this ended up that Curve’s  TVL was the highest among all the DEXs and reached $24B bar when Uniswap’s TVL was $8,7B:

Source: DefiLlama

In 2021 the launch of Curve V2 was released. The key innovation Curve V2 offered was an opportunity to create liquidity pools with assets a different prices. The new pools used the liquidity in a more effective manner, and the fees are as low as 0,04 до 0,4%. The main pool on the Curve V2 is an Ethereum-based “Tricrypto” that includes USDT, WBTC, and WETH.

Curve Tokenomics

Curve has a rather complex protocol structure. The project offered a unique system that doesn’t have analogs, and it’s called “metagenomics” (vote-escrowed tokenomics). The ve-tokenomics model goes down to the fact that the native tokens of the project are locked for a certain period. This, in turn, encourages long-term user participation and reduces the supply of the tokens in the market. The stakers receive veTokens, which are non-transferable meaning that they don’t have markets where these tokens can be sold. At the same time, veTokens are voting tokens, and allow you to receive increased profits by obtaining emission tokens and/or through protocol fees. The diagram below shows the general principle of the ve-tokenomics model:

Source: Perpetual Protocol

Curve has a native $CRV token. The main utilities of $CRV are voting, staking, and yield boosting. All these possibilities are available after you lock $CRV and get veCRV. The longer the blocking period for $CRV tokens, the more veCRV tokens are credited to the user.

Base vAPY: shows the profitability, which is formed through the traders’ fees. After each swap, the user pays a commission, that is divided between the LP providers of this pool and Curve DAO.

Rewards tAPR: Curve DAO allows some pools to earn returns on issuing $CRV. The distribution of rewards is carried out through the “Liquidity Gauges” system, a set of smart contracts that regulate the issuance of $CRV. The formula for calculating tAPR takes into account various factors, including how long the pool is on the market, its weight, etc.

Currently, pool weights in Curve are distributed the way it’s shown on the pie chart below:


The yield of pools on Curve is made up of Base vAPY and Rewards tAPR which is CRV + Incentives. Incentives tAPR: Pools can also issue rewards that do not require Curve DAO approval. In the stETH example below, the pool is transferring $LDO tokens in addition to the $CRV rewards.

That’s worth underlining the possibility of yield boosting. One of the main incentives for $CRV is the ability to increase the reward for providing liquidity. Locked $CRV allows you to increase the profitability of the provided liquidity up to 2.5 times.

What’s Happened to Curve?

On July 30th, PeckShield, a company specializing in security audits, tweeted that Curve had been hacked for $26.7M. The stolen assets included: CRV, wETH, alETH, msETH, pETH and WBNB.

The vulnerability was discovered in pools that used Vyper 0.2.15, especially, in the area of ​​incorrect functioning of the reentrancy lock (re-spend errors). Vyper is a smart contract programming language for the Ethereum Virtual Machine (EVM). The most affected protocols were Alchemix, JPEGd, Metronome, Debridge, and Ellipsis. In this case, only the pools associated with Curve were affected, and not the protocols themselves.

After these events the price of $CRV has fallen sharply, as you can see this in the graph below:

Source: Trading View

The situation was worsened by the fact that a huge amount of $CRV tokens belonged to Curve’s founder — Mikhail Egorov. Michael has borrowed over $100M backed by $460M of $CRV, representing over 47% of the total token supply. A sharp decline in the price of $CRV threatened the risk of liquidating Yegorov’s positions, which could end up in the liquidation collapse of the entire DeFi sector.

Thus, Mikhail borrowed $63M in stablecoins on AAVE, secured by 34% of the entire supply of $CRV. In addition, Mikhail had an open position at Fraxlend where he borrowed $19.5M.

If the liquidation price was reached, a huge amount of $CRV would be released to the open market, and there would simply be no buyers for such a large supply. It is also worth noting that about 7.2M $CRV were taken by a hacker, who, in theory, could also notably lower the price of the token by trying to sell them, for example, on Uniswap. All those events have naturally forced AAVE’s lenders and other crypto-lending platforms to withdraw funds, thereby provoking an increase in lending rates.

Realizing how serious the situation was, Mikhail Yegorov handed down several decisions to stabilize the situation. First of all, he started adding collateral to his credit positions, increasing the liquidation ratio. Also, Egorov deployed a new pool on Curve to provide liquidity to high-risk CRV/FRAX with increased incentives. The idea was to encourage more liquidity to improve the liquidation rate. The pool raised about $2M in the first 4 hours and reduced its utilization rate from 100% to 89%. However, despite the above-mentioned actions, the risks of liquidation were still quite high.

Mikhail also started selling $CRV on the OTC (over-the-counter) market. So, according to Lookonchain, the founder of Curve sold a total of $72M CRV to 15 institutions/investors on OTC for $0.4, making a total oа $28.8M.

Actions taken in a timely manner made it possible for the margin call on open credit positions of Mikhail Egorov not to be fulfilled. Simolteniuosly, the hacker was given an ultimatum by the protocols affected by the exploit. On August 3rd, the following message was sent to the attacker's address:

“We as a group: Curve, Metronome & Alchemix would like to discuss a bounty with any parties who were involved in the recent Curve exploits. We are offering a 10% bounty of any funds stolen, which are yours to keep if you return the remaining 90%.

You will have no risk of us pursuing this further, no risk of law enforcement issues, etc. If you choose not to partake in the voluntary return and complete the process by 6 August at 0800 UTC, we will expand the bounty to the public, and offer the full 10% to the person who is able to identify you in a way that leads to your conviction in the courts. We will pursue you from all angles with the full extent of the law.” 

In general, the Curve’s situation has a happy ending. Moreover, on August 10, Binance Labs announced a strategic partnership with Curve and announced a $5M investment in Curve DAO Token (CRV) to support the project ecosystem. As part of the partnership, Curve will consider deploying the exchange on the BNB network.

At that time, the total losses due to the hack were about $73.5M. Soon the hacker decided to return the stolen money. So, according to PeckShield, by the time the deadline expired, about $52.3M was returned.

How to Invest in Curve Pools Via Notum?

Notum provides you with an opportunity to become a liquidity provider in Curve pools and get commissions for that.

Source: Notum App

To invest funds, you need to:  

  1. go to the "Investments" section;

  2. select the Curve protocol in the "Filters" section;

  3. go to the page of any pool to read the description of the strategy, assets and key indicators.

The investments are extremely easy to follow, all you need to do is connect your wallet and select an asset you will enter the position with.

Closing Thoughts

The situation that happened with Curve is rather symptomatic, proving that the current DeFi state is still fragile and vulnerable. The revealed Curve’s weakness, which caused the emptying of some exchange pools increased the risk of a liquidation cascade in the market. In the event that $CRV reached liquidation prices in a number of credit protocols, a huge amount of $CRV would be released on the market, which simply did not find any buyers. This hack highlighted one more time that security is something that the DeFi industry should take additional precautions to provide secure customer transactions.      

On the other side, community solidarity played a serious role here. Especially, a number of investors and organizations that decided to buy $CRV tokens directly from Mikhail Egorov on OTC, as well as Binance Labs' strategic investment in the Curve exchange. 

The situation in which $CRV would have reached the liquidation price was not beneficial for the whole industry, as it could finish up in a series of cascading liquidations and the critical TVL decline of the entire DeFi sector. The Curve team managed all those difficulties in a timely and accurate manner and successfully got out of the situation. 

Follow us on Twitter | Mirror | Discord | Blog