Curve Finance Investigating Price Oracle Exploit

The exploit was a "donation-style" attack that manipulated the sDOLA exchange rate. This manipulation caused the protocol to misinterpret the value of the collateral, leading to a series of liquidations. The attacker managed to shift the sDOLA/DOLA exchange rate from approximately 1.188 to 1.358. Borrowers with sDOLA as collateral bore the brunt of the attack, with total losses estimated at around $240,000. Lenders, however, were not impacted by the incident. Interestingly, some non-leveraged sDOLA holders saw gains of about 14% due to the distorted exchange rate. This incident has once again put the security of price oracles in the spotlight. Price oracle manipulation is a known attack vector in DeFi where attackers feed smart contracts incorrect price data, often by using flash loans to temporarily distort prices on decentralized exchanges. The native token of Curve Finance, CRV, experienced a 3.5% drop in price to around $0.24 following the news. Derivatives data indicated a more cautious market sentiment, with trading volume falling 12% to $127 million and open interest declining by 1.73% to $67.8 million, suggesting traders were closing leveraged positions. This is not the first security challenge for Curve Finance. In July 2023, the protocol suffered a major exploit of approximately $70 million due to a vulnerability in the Vyper programming language. The platform has also been the target of multiple DNS hijacking incidents in the past. In response to the latest exploit, the Curve team is investigating other potentially vulnerable markets and is working to enhance the security of LlamaLend V2 to better handle collateral that might be susceptible to "donation attacks". Inverse Finance, the issuer of the DOLA stablecoin, confirmed that its own contracts were not exploited in the attack.