← Curve Finance5 decisions on this page
Audit log
Every state-changing event for Curve Finance: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.
- #1publishby system:backfill2026-05-30 18:32:25ZScore: ? → ? (no score change)anchoranchored
- chain
- ●mainnet-betaslot 423,211,480
- sig
3bUs7aTFXCFd…3hSx4jt8explorer ↗- hash
8RiJLNXtgAzM…dtZaLv12sha256 → base58
verifying row…full verify ↗canonical bytes (7769 B) ▸
{"actor":"system:backfill","investigation_id":"108d7b65-7cee-4e16-a90a-10e0f4936e64","kind":"publish","page_slug":"curve-finance","published_at":"2026-05-30T18:32:25.429Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Curve Finance","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://www.gemini.com/cryptopedia/curve-finance-liquidity-provider-dao","type":"other","url":""},{"credibility":3,"name":"https://resources.curve.finance/","type":"other","url":""},{"credibility":3,"name":"https://www.coindesk.com/markets/2023/07/31/a-curve-founders-168m-stash-is-under-stress-creating-a-risk-for-defi-as-a-whole","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://hackmd.io/@vyperlang/HJUgNMhs2","type":"other","url":""},{"credibility":3,"name":"https://www.certik.com/resources/blog/2qbPMcyJpR5UfoKrcjWxlQ-vyper-incident-anaylsis","type":"other","url":""},{"credibility":3,"name":"https://www.halborn.com/blog/post/explained-the-vyper-bug-hack-july-2023","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://www.chainalysis.com/blog/curve-finance-liquidity-pool-hack/","type":"other","url":""},{"credibility":3,"name":"https://hacken.io/discover/curve-finance-liquidity-pools-hack-explained/","type":"other","url":""},{"credibility":3,"name":"https://blockworks.com/news/curve-suffers-exploit","type":"other","url":""},{"credibility":3,"name":"https://cointelegraph.com/news/vyper-vulnerability-exposes-defi-ecosystem-stress-tests","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://www.coindesk.com/tech/2023/08/07/curve-recoups-73-of-hacked-funds-bolstering-crv-sentiment","type":"other","url":""},{"credibility":3,"name":"https://www.theblock.co/post/243464/curve-exploit-identity-bounty","type":"other","url":""},{"credibility":3,"name":"https://cointelegraph.com/news/curve-hack-mev-bot-behind-61m-heist-begins-returning-funds","type":"other","url":""},{"credibility":3,"name":"https://www.chainalysis.com/blog/curve-finance-liquidity-pool-hack/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://www.coindesk.com/markets/2023/07/31/a-curve-founders-168m-stash-is-under-stress-creating-a-risk-for-defi-as-a-whole","type":"other","url":""},{"credibility":3,"name":"https://finance.yahoo.com/news/curve-exploit-curve-founder-michael-081342185.html","type":"other","url":""},{"credibility":3,"name":"https://www.coindesk.com/business/2023/08/03/curve-founder-still-owes-80m-despite-raising-nearly-30m-in-past-two-days","type":"other","url":""},{"credibility":3,"name":"https://247wallst.com/investing/2023/08/01/curve-founder-sells-40m-in-crv-tokens-amid-liquidation-risk/","type":"other","url":""},{"credibility":3,"name":"https://unchainedcrypto.com/curve-founders-liquidation-could-trigger-chaos-for-defi/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://cryptoslate.com/curve-finance-tvl-halved-following-vyper-vulnerability-exploit/","type":"other","url":""},{"credibility":3,"name":"https://techcrunch.com/2023/08/01/curve-finances-62m-exploit-exposes-larger-issues-for-defi-ecosystem/","type":"other","url":""},{"credibility":3,"name":"https://blockworks.com/news/curve-suffers-exploit","type":"other","url":""},{"credibility":3,"name":"https://www.coindesk.com/tech/2023/08/09/as-curve-averts-defi-death-spiral-fiasco-exposes-serious-risks","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://cointelegraph.com/news/curve-finance-disburse-49-million-compensation-hack-victims","type":"other","url":""},{"credibility":3,"name":"https://coingape.com/curve-finance-community-approves-49m-payout-for-july-hack-victims/","type":"other","url":""},{"credibility":3,"name":"https://www.outlookmoney.com/cryptocurrency/sec-regrets-errors-related-to-crypto-firm-enforcement-case-curve-finance-to-disburse-49m-in-compensation-to-hack-victims","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://www.halborn.com/blog/post/explained-the-vyper-bug-hack-july-2023","type":"other","url":""},{"credibility":3,"name":"https://www.certik.com/resources/blog/2qbPMcyJpR5UfoKrcjWxlQ-vyper-incident-anaylsis","type":"other","url":""},{"credibility":3,"name":"https://hackmd.io/@vyperlang/HJUgNMhs2","type":"other","url":""},{"credibility":3,"name":"https://github.com/curvefi/security-incident-reports","type":"other","url":""}]}],"sources_used":[],"summary":"Curve Finance is a major decentralized exchange (DEX) on Ethereum optimized for stablecoin and pegged-asset trading, operating since January 2020. On July 30, 2023, a latent vulnerability in the Vyper smart-contract compiler (versions 0.2.15, 0.2.16, and 0.3.0) was exploited across multiple Curve liquidity pools, draining approximately $70 million and triggering a near-systemic crisis when the resulting CRV price drop threatened to cascade-liquidate founder Michael Egorov's heavily collateralized on-chain loans. Roughly 73% of stolen funds were ultimately recovered or returned, and in December 2023 the Curve DAO voted to disburse approximately $49 million in compensation to affected liquidity providers.","timeline":[{"date":"2020-01-01","event":"Curve Finance launches on Ethereum mainnet as a stablecoin-optimized DEX.","source":""},{"date":"2021-07-01","event":"Vyper v0.2.15 released, inadvertently introducing the reentrancy lock storage-slot bug that would remain undetected for two years.","source":""},{"date":"2021-11-01","event":"Vyper v0.2.16 and v0.3.0 released, perpetuating the reentrancy vulnerability.","source":""},{"date":"2022-01-01","event":"Vyper v0.3.1 released, fixing the reentrancy lock defect — but pools already deployed with earlier versions remain vulnerable.","source":""},{"date":"2023-07-30","event":"July 30, 2023: Attackers begin exploiting Curve Finance pools compiled with vulnerable Vyper versions. JPEG'd pETH/ETH (~$11M), Alchemix alETH/ETH (~$20M), Metronome msETH/ETH (~$1.6M), and Curve CRV/ETH (~$18-22M) pools are drained. Total losses approximately $69-73 million.","source":""},{"date":"2023-07-31","event":"CRV token price falls over 20%. Curve TVL drops from ~$3.26B to ~$1.72B. Egorov's $100M+ in on-chain loans put at risk of liquidation cascade. Gauntlet recommends Aave DAO freeze CRV markets.","source":""},{"date":"2023-08-01","event":"Curve Finance offers 10% bounty to exploiters if funds are returned by August 4. c0ffeebabe.eth returns ~$5.3M from CRV/ETH pool and ~$1.6M from Metronome pool.","source":""},{"date":"2023-08-01","event":"Michael Egorov conducts approximately $42.4 million in OTC CRV token sales at $0.40/token to reduce loan exposure and avoid cascade liquidation.","source":""},{"date":"2023-08-04","event":"Bounty deadline passes without full fund return from all exploiters. Alchemix attacker begins returning funds voluntarily.","source":""},{"date":"2023-08-06","event":"Curve Finance opens $1.85 million public bounty for information leading to identification and conviction of remaining exploiters.","source":""},{"date":"2023-08-07","event":"Approximately 73% of stolen funds recovered or returned. Curve DAO receives recovered ETH from white hat operations.","source":""},{"date":"2023-12-21","event":"Curve DAO votes 94% in favor to disburse approximately $49.2 million in compensation to affected liquidity providers across CRV, alETH, pETH, and msETH pools.","source":""}]},"v":1}Verify offline (run on your own machine)python -m src.verify_decision 5e08eb29-8cda-4558-8172-6fb17dcb0541 - #2reviewby reviewerreviewer2026-06-09 23:17:24ZScore: 52 → 52 (no score change)The investigation page is substantively accurate on the major facts of the July 2023 Curve Finance hack — the exploit date, Vyper versions, total losses, 73% recovery, and the December 2023 DAO compensation vote are all confirmed by credible sources. Two timeline entries contain verifiable date errors: v0.2.16 and v0.3.0 are placed in November 2021 when they were released in August and October 2021 respectively, and v0.3.1's fix is placed in January 2022 when it was released in December 2021. The 10% bounty deadline is also incorrectly stated as August 4 when sources place it at August 6. The CoinTelegraph compensation article URL returns a 404.anchoranchored
- chain
- ●mainnet-betaslot 425,425,814
- sig
4g6iuScwbtwR…SZbojRo7explorer ↗- hash
CxpHK4FrhoY5…KKw8XxFgsha256 → base58
verifying row…full verify ↗canonical bytes (1002 B) ▸
{"actor":"reviewer","decided_at":"2026-06-09T23:17:24.550Z","decision":"review","investigation_id":"108d7b65-7cee-4e16-a90a-10e0f4936e64","new_score":52,"page_slug":"curve-finance","prev_score":52,"reason":"The investigation page is substantively accurate on the major facts of the July 2023 Curve Finance hack — the exploit date, Vyper versions, total losses, 73% recovery, and the December 2023 DAO compensation vote are all confirmed by credible sources. Two timeline entries contain verifiable date errors: v0.2.16 and v0.3.0 are placed in November 2021 when they were released in August and October 2021 respectively, and v0.3.1's fix is placed in January 2022 when it was released in December 2021. The 10% bounty deadline is also incorrectly stated as August 4 when sources place it at August 6. The CoinTelegraph compensation article URL returns a 404.","score_delta":0,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}Verify offline (run on your own machine)python -m src.verify_decision 34afcc4b-c641-4853-b3ff-faa793ecae9a - #3review reviseby judgejudge2026-06-09 23:17:24ZScore: 52 → 44 (-8)The page is substantively accurate on all core facts — the July 30, 2023 exploit date, Vyper versions, ~$70M total loss, 73% fund recovery, and the December 2023 DAO compensation vote are all confirmed by Tier 1 sources. Two timeline entries are factually incorrect: claim_findings[5] places Vyper v0.2.16 and v0.3.0 releases in November 2021 when they shipped in August and October 2021 respectively, and claim_findings[6] places the v0.3.1 fix in January 2022 when credible sources (CertiK, Tier 1) confirm December 2021. A third error in claim_findings[10] misstates the bounty announcement date (August 1 vs. August 3) and the return deadline (August 4 vs. August 6). The disputed claims are limited to timeline date precision and do not affect the central narrative. One high-priority coverage gap — the absence of on-chain transaction hashes, attacker addresses, and fund-flow forensics — is noted and warrants expansion. One cited source returns a 404 (CoinTelegraph compensation article).anchoranchored
- chain
- ●mainnet-betaslot 425,425,818
- sig
4EuxMJA9W6ha…CX6G1NzKexplorer ↗- hash
78WxV5TehKZB…CbgDz8nPsha256 → base58
verifying row…full verify ↗canonical bytes (1350 B) ▸
{"actor":"judge","decided_at":"2026-06-09T23:17:24.550Z","decision":"review_revise","investigation_id":"108d7b65-7cee-4e16-a90a-10e0f4936e64","new_score":44,"page_slug":"curve-finance","prev_score":52,"reason":"The page is substantively accurate on all core facts — the July 30, 2023 exploit date, Vyper versions, ~$70M total loss, 73% fund recovery, and the December 2023 DAO compensation vote are all confirmed by Tier 1 sources. Two timeline entries are factually incorrect: claim_findings[5] places Vyper v0.2.16 and v0.3.0 releases in November 2021 when they shipped in August and October 2021 respectively, and claim_findings[6] places the v0.3.1 fix in January 2022 when credible sources (CertiK, Tier 1) confirm December 2021. A third error in claim_findings[10] misstates the bounty announcement date (August 1 vs. August 3) and the return deadline (August 4 vs. August 6). The disputed claims are limited to timeline date precision and do not affect the central narrative. One high-priority coverage gap — the absence of on-chain transaction hashes, attacker addresses, and fund-flow forensics — is noted and warrants expansion. One cited source returns a 404 (CoinTelegraph compensation article).","score_delta":-8,"sequence_num":3,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}Verify offline (run on your own machine)python -m src.verify_decision 297fe16a-bd57-457c-8b3a-d394a24d67d2 - #4reviewby reviewerreviewer2026-06-14 23:16:02ZScore: 44 → 44 (no score change)Blue-chip calibration review (Prompt A). Verdict: over-penalized. Page content is treated as accurate; the trust_score band is miscalibrated. Curve Finance is a legitimate, major DeFi protocol that was a victim of an upstream third-party compiler vulnerability (Vyper), not its own fraudulent conduct or direct engineering negligence. The July 2023 exploit was caused by a reentrancy bug in Vyper versions 0.2.15-0.3.0 — a bug in an external toolchain that Curve relied on in good faith. Critically, 73% of stolen funds were recovered within days, and the DAO voted with 94% approval to compensate the remaining ~$18M in losses, making affected liquidity providers substantially whole by December 2023. As of June 2026 the protocol continues operating with ~$2.2B TVL and no regulatory enforcement actions. Under the post-policy band semantics, a score of 44 (WARNING: elevated fraud/loss risk or unresolved severe incident) overstates the current risk profile: the incident is resolved, funds were compensated, and there is no evidence of fraud, misrepresentation, or Ponzi mechanics. A score of 62 in the CAUTIONARY band (legitimate with material caveats) accurately reflects the reality: Curve is operational and reputable but carries a documented history of a significant exploit and the reputational/systemic risk of Egorov's concentrated CRV borrowing behavior. The one minor factual inaccuracy on the page — stating Vyper v0.3.1 fixed the bug in January 2022, when sources consistently date the fix to December 2021 — does not materially change the narrative.anchoranchored
- chain
- ●mainnet-betaslot 426,514,557
- sig
3ckcs77p4seT…wE1KqNrNexplorer ↗- hash
86iX57YrE4RG…QWTJsXTBsha256 → base58
verifying row…full verify ↗canonical bytes (1915 B) ▸
{"actor":"reviewer","decided_at":"2026-06-14T23:16:02.628Z","decision":"review","investigation_id":"108d7b65-7cee-4e16-a90a-10e0f4936e64","new_score":44,"page_slug":"curve-finance","prev_score":44,"reason":"Blue-chip calibration review (Prompt A). Verdict: over-penalized. Page content is treated as accurate; the trust_score band is miscalibrated. Curve Finance is a legitimate, major DeFi protocol that was a victim of an upstream third-party compiler vulnerability (Vyper), not its own fraudulent conduct or direct engineering negligence. The July 2023 exploit was caused by a reentrancy bug in Vyper versions 0.2.15-0.3.0 — a bug in an external toolchain that Curve relied on in good faith. Critically, 73% of stolen funds were recovered within days, and the DAO voted with 94% approval to compensate the remaining ~$18M in losses, making affected liquidity providers substantially whole by December 2023. As of June 2026 the protocol continues operating with ~$2.2B TVL and no regulatory enforcement actions. Under the post-policy band semantics, a score of 44 (WARNING: elevated fraud/loss risk or unresolved severe incident) overstates the current risk profile: the incident is resolved, funds were compensated, and there is no evidence of fraud, misrepresentation, or Ponzi mechanics. A score of 62 in the CAUTIONARY band (legitimate with material caveats) accurately reflects the reality: Curve is operational and reputable but carries a documented history of a significant exploit and the reputational/systemic risk of Egorov's concentrated CRV borrowing behavior. The one minor factual inaccuracy on the page — stating Vyper v0.3.1 fixed the bug in January 2022, when sources consistently date the fix to December 2021 — does not materially change the narrative.","score_delta":0,"sequence_num":4,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}Verify offline (run on your own machine)python -m src.verify_decision b55e9b46-3976-4991-943b-9ddff751203b - #5review approveby judgejudge2026-06-14 23:16:02ZScore: 44 → 62 (+18)All six claim_findings (indices 0–5) are supported with zero disputed claims. The July 2023 exploit originated from a third-party Vyper compiler bug, not Curve's own code or conduct (claim_findings[1]); 73% of stolen funds were recovered within days and the DAO voted 94% in favor to compensate remaining losses by December 2023 (claim_findings[2]); no regulatory enforcement actions exist against the entity (claim_findings[3]); and the protocol continues operating with ~$2.2B TVL as of June 2026 (claim_findings[0]). The current score of 44 (WARNING band) treats Curve as though it bears ongoing elevated fraud risk, but the incident is resolved, funds were compensated, and the root cause was an upstream toolchain vulnerability — a pattern that belongs in the CAUTIONARY band (50–69) under the post-policy band semantics. The reviewer's recommended delta of +18 (44→62) is well-supported and appropriate. No status change or delist is warranted; the page content is accurate and must remain published.anchoranchored
- chain
- ●mainnet-betaslot 426,514,559
- sig
5yh1sGw5YuJ3…fs6wpTY8explorer ↗- hash
6V56N4j3wz3w…KHCnKX7Asha256 → base58
verifying row…full verify ↗canonical bytes (1361 B) ▸
{"actor":"judge","decided_at":"2026-06-14T23:16:02.628Z","decision":"review_approve","investigation_id":"108d7b65-7cee-4e16-a90a-10e0f4936e64","new_score":62,"page_slug":"curve-finance","prev_score":44,"reason":"All six claim_findings (indices 0–5) are supported with zero disputed claims. The July 2023 exploit originated from a third-party Vyper compiler bug, not Curve's own code or conduct (claim_findings[1]); 73% of stolen funds were recovered within days and the DAO voted 94% in favor to compensate remaining losses by December 2023 (claim_findings[2]); no regulatory enforcement actions exist against the entity (claim_findings[3]); and the protocol continues operating with ~$2.2B TVL as of June 2026 (claim_findings[0]). The current score of 44 (WARNING band) treats Curve as though it bears ongoing elevated fraud risk, but the incident is resolved, funds were compensated, and the root cause was an upstream toolchain vulnerability — a pattern that belongs in the CAUTIONARY band (50–69) under the post-policy band semantics. The reviewer's recommended delta of +18 (44→62) is well-supported and appropriate. No status change or delist is warranted; the page content is accurate and must remain published.","score_delta":18,"sequence_num":5,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}Verify offline (run on your own machine)python -m src.verify_decision 57c7c049-cd35-4042-a311-701dd5a52732
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine —
python -m src.verify_decision <event_id>.