Historical bad-debt events

Curve Finance's assessment for RD-F-067 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

July 30, 2023 Vyper compiler reentrancy exploit: ~$60.7M drained across four pools (pETH/ETH, msETH/ETH, alETH/ETH, CRV/ETH). White-hat c0ffeebabe.eth returned $5.4M; total recovery was ~$52.3M (73%) by August 7, 2023. Net LP loss ~$8-20M. Curve DAO voted December 21, 2023 (94% approval) for $49.2M compensation package ($7.2M ETH + $42M CRV vesting 1 year). Yellow rather than red: (a) DAO actively compensated LPs; (b) root cause was Vyper compiler bug now patched; (c) no systemic protocol insolvency. DNS hijack 2022 (~$573K) excluded — off-chain phishing, not protocol-level economic loss.

Sources #

URL
Curve Pool Reentrancy Exploit Postmortem July 30th, 2023 — LlamaRiskLlamaRisk postmortem: $60.7M across four pools; $5.4M white-hat return from CRV/ETHretrieved 2026-04-28
URL
Curve Finance Pools Exploited Due to Code Vulnerabilities — Chainalysis73% recovery ($52.3M of $73.5M) by August 7, 2023retrieved 2026-04-28
Governance
Curve DAO agrees to $44M compensation for July hack victims — DL NewsCurve DAO voted $49.2M compensation: $7.2M ETH + $42M CRV; 94% approval; December 21, 2023retrieved 2026-04-28
URL
https://web.archive.org/web/2023*/cointelegraph.com/news/curve-finance-disburse-49-million-compensation-hack-victimsretrieved 2026-05-06

Methodology #

Count and sum (USD) the number of documented bad-debt events where the protocol socialized losses across depositors.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-067 score yellow collected_at 2026-04-28 19:48:40