DEXs Update – Curve Finance, PancakeSwap, LeetSwap, and Uniswap

In the latest exploit incident shaking DeFi, popular decentralized exchange Curve Finance was exploited to $52 million on Sunday. Here are details on the incident's aftermath and other decentralized exchange headlines.

CRV token on recovery path after exploit on Curve Finance

Curve Finance liquidity pools were on Sunday drained as much as $47 million after a bug exposed stablecoin pools on the platform to a series of attacks, the first of which was reported at around 9:30 am ET. In addition to the exploit of JPEG'd's pETH-ETH liquidity pool for $11.4 million, blockchain auditing and analytic teams tracked four other attacks. Alchemix's alETH-ETH pool saw an outflow of $13.6 million, while the CRV/ETH pool and Metronome's sETH-ETH pool were drained $25 million and $1.6 million, respectively. The exploit also affected other DeFi projects, including Ellipsis, which reported some stablecoin pools with BNB being affected.

The attackers exploited a vulnerability in some versions (v0.2.15, 0.2.16 and 0.3.0) of the compiler for Vyper programming language used on Curve smart contracts. Affected versions of Vyper incorrectly implemented the re-entrancy guard which ensures smart contracts are not susceptible to re-entrancy exploits by locking them. The mechanism essentially prevents multiple functions from being simultaneously called.

Exploit aftermath and recovery

A maximum extractable value (MEV) bot operator ‘c0ffebabe.eth' front ran the attack on the CRV-ETH liquidity pool and recovered nearly 2,879 ETH worth over $5 million. The weekend's exploit markedly resulted in a record day in terms of payout to MEV operators post-Merge. mevboost.pics MEV dashboard shows that more than 6,000 ETH was paid in MEV block rewards. Another observer on X, Eric Conner, separately noted that Sunday returned some of the largest MEV reward blocks in Ethereum’s history.

Following reports of the incident on the stablecoin-focused DEX, Upbit notified users that it had suspended deposits and withdrawals of CRV. Binance CEO CZ, among other industry executives, remarked on the incident, assuring that the Vyper vulnerability didn’t affect the exchange.

“Curve getting exploited. Risk of bad debt and liquidations in the ecosystem. This might seem like an ‘it’s over' moment, but perhaps it’s just this cycles Black Thursday – the last crash before the bull market, with everything coming back 100x stronger,” MakerDAO co-founder Rune Christensen wrote on X.

Despite shedding significant liquidity coming off the weekend, Curve is still one of the largest DEXes with a total-value locked (TVL) volume of $1.61 billion, behind Uniswap, which leads with $3.8 billion. Though CurveDAO's native CRV token hemorrhaged value on DEX platforms in reaction to the news, its spot price on exchanges remained above 55 cents thanks to Chainlink's oracle system, which relies on CEX price feeds.

The weekend exploit appeared to put $168 million of Curve founder Michael Egorov's lending positions on Aave and Frax Finance at risk of liquidation, sparking bearish sentiment around lending tokens like Compound (COMP) and Aave (AAVE). On-chain records – transactions of OTC deals – suggest Egorov has taken steps to stabilize his DeFi position backed by nearly half of CRV circulating supply. Egorov made a 5.13 million FRAX stablecoin loan repayment whilst reclaiming collateral of 12.5 million CRV tokens moved to a different wallet.

To learn more about Aave, check out our Investing in Aave guide.

Another wallet associated with Tron blockchain founder Justin Sun scooped about 5 million (~2.9 million) CRV from Egorov's Curve.fi wallet at roughly 40 cents compared to the spot price of $0.59.

“As steadfast partners, we remain committed to providing support whenever needed.” Sun posted on X, alluding to a partnership between Tron and Curve.“Our joint efforts will introduce an @stusdt pool on Curve, amplifying user benefits. Together, we aim to empower the community and forge decentralized finance.”

On-chain tracking teams also reported a transaction of 4.25 million CRV to an account belonging to one DCFGod and three more to institutional investors.

“More and more institutions and investors bought $CRV via OTC! Machi Big Brother bought 3.75M $CRV. DWF Labs bought 2.5M $CRV. Cream.Finance bought 2.5M $CRV. Michael Egorov has sold a total of 39.25M $CRV via OTC and received 15.8M $USDT.” LookonChain security team noted in a tweet.

To learn more about Curve, check out our Investing in Curve guide.

LeetSwap halts trading amid reports of an exploit

LeetSwap, a fast-rising DEX operating on Coinbase’s L2 Base network, said in a tweet on Monday that it had halted trading due to pool liquidity being compromised with on-chain trackers showing roughly 340 ETH was drained.

“As our DEX is forked from Solidly, our factory had a security pause function,” LeetSwap posted. “We noticed that some pool liquidity might have been compromised and we temporarily stopped the trading to investigate.”

The latest incident follows reports of Bald, a recently hyped meme coin, crumbling after the project's developer pulled an exit scam siphoning 6,800 ETH from the token’s liquidity pool on LeetSwap. In the aftermath of the two setbacks, LeetSwap's deposits have crumbled to $4.21 million on Tuesday from a peak of $41 million on Sunday per DeFi Llama.

Curve Finance and LeetSwap exploits add to an earlier successful attempt affecting Multichain where roughly $125 million worth of assets were drained from the bridging protocol leading to the cross-chain platform ultimately ceasing operations. PeckShieldAlert page noted on Monday that the drainer had begun transferring some looted funds. The exploiter swapped 220 WBTC (~$6.5 million) for 6.4M USDT and then transferred ~2.85M USDT to 6 separate addresses. The drainer also executed three transfers of 100 WBTC per the security firm.

On-chain records compiled by CertiK show that July has been the worst month in terms of crypto hacks and exploits this year, with traders losing $303M across the month. Flash loans and exit scams (rug pulls) accounted for $8.7 million and $8.6 million respectively. Web3 outlet De.Fi separately pointed out that only $6.15 million from crypto hacks and exploits in the concluded month was recovered.

PancakeSwap to share trading-fee revenue with CAKE token stakers

PancakeSwap is now available on five blockchains after launching on the zkSync Era blockchain last Thursday. The expansion to zkSync Era aligned with the DEX's multichain goal to accumulate a large user base and bump its protocol revenue. It also marked a fifth chain where the DEX is available, having deployed on the BNB chain, Ethereum, Polygon zkEVM and Aptos already.

PancakeSwap was launched in 2020 on the BNB chain and has grown to become the second-largest decentralized exchange by TVL market share behind Uniswap. Last month, PancakeSwap expanded to Polygon zkEVM after its v3 officially launched on the zkEVM Mainnet Beta, allowing users to directly access Swap and Liquidity Provision functionalities in a smooth experience.

The DEX confirmed on Monday that it would share trading-fee revenue with stakers of its native CAKE token as a long-term initiative to nurture growth in the ecosystem. The additional rewards will see fixed-term CAKE stakers receive 5% of the trading fee revenues from all v3 pairs in the 0.01% and 0.05% fee tiers which contribute 80-90% of the v3 trading volumes.

The weekly revenue-sharing program is applicable to all chains and will start with a first distribution on Aug. 9. Users who will have staked before Aug. 2 will be eligible to claim trading fee rewards in this round, while those following after Aug. 2 and before Aug. 9 will claim their rewards in the second round on Aug. 16. Stakers from June and July will also be able to lay claim to the additional rewards. In an Aug 1 update, PancakeSwap celebrated surpassing a trading volume of $12.5 billion across its chains.

To learn more about PancakeSwap, check out our Investing in PancakeSwap guide.

Uniswap unrivaled as fellow DEXs hurt

Notwithstanding the recent changes among decentralized exchange platforms, Uniswap is the leading DEX by trading volume and market share. In April, the Ethereum-based automated market maker protocol outdid Coinbase in spot market volume marking the second successive triumph. According to CCData, the decentralized exchange handled over $70 billion in trading volume in March, compared to Coinbase, which did $49.2 billion.

Equally, March was Uniswap's best-performing month this year, during which the decentralized finance space saw its value skyrocket to a ten-month high. Uniswap's volume contribution in DeFi topped $71.6 billion out of a possible $119.96 billion in March – 45% better than Coinbase. The DEX's market share also reached its biggest position yet – peaking at 63.9% as of the end of Q1.

Uniswap's feat comes against its v3 becoming available with a General Public License after its Business Source License (BSL) expired on April 1, allowing developers who had been lying in wait to fork the protocol and deploy it as a stand-alone decentralized exchange to pounce. Developers of PancakeSwap were those who adopted Uniswap's model to debut services on Aptos, Ethereum and BNB Chain. Uniswap v3 previously went live on BNB Chain in mid-March after passing a controversial proposal by oxPlasma Labs in February aimed at tapping into the massive volume and user base of the Binance-native chain.

To learn more about Uniswap, check out our Investing in Uniswap guide.