According to an Aug. 2 social media post by a protocol governing body member, the Curve Finance Lending Protocol has stopped issuing governance tokens for individual liquidity pools affected by the July 30 Curve exploit and the July 6 Multichain exploit.

The termination of the reward was handled by Curve Emergency Decentralized Autonomous Organization (Curve E-DAO), a committee made up of elected members of Curve DAO’s governing body. According to the announcement, the decision affected the pools for alETH+ETH, msETH-ETH, pETH-ETH, crvCRVETH, Arbitrum Tricrypto and multibtc3CRV. The decision may be reversed in the future by a full vote of the Curve DAO.

On July 6, more than $100 million worth of cryptocurrencies were withdrawn from a number of bridges that were part of the Multichain protocol.

The Multichain team stated that the withdrawals were “abnormal” and that users should stop using Multichain. At the time, the Curve team warned its users to “get out of multi-chain assets such as multiBTC (including the pool)”, implying that their own multibtc3CRV liquidity pool was at risk due to the Multichain incident.

On July 14, the Multichain team claimed that the withdrawal was made by an unknown person who accessed its CEO’s cloud computing account, implying that the funds were stolen and will never be returned.

On July 30, Curve Finance was already the victim of a reentry attack . Over $47 million worth of cryptocurrencies were lost during the exploit. The attack affected the alETH, msETH and pETH pools because they were created using the Vyper protocol containing the vulnerability. Other non-Vyper Curve pools were not affected. However, the Vyper vulnerability led to copycat attacks throughout the DeFi ecosystem , where an insecure version of the protocol was used. In particular, it is reported that DeFi protocols on the BNB Smart Chain lost $73,000 during similar attacks .

Despite these exploits, the affected pools still produced rewards in the form of Curve Finance (CRV) Governance Tokens . This meant that users could still contribute their tokens to pools to earn CRV. In an August 8 announcement, Shapiro stated that the emergency DAO has now removed these rewards to “avoid incentivizing further participation in these compromised pools.” In July and August, investors continued to suffer from hacks and fraud.

On July 23, payment provider Alphapo allegedly lost more than $60 million due to an attacker gaining access to the private keys of its hot wallet. The company has not confirmed the alleged attack, but sleuths online claim the transfers are abnormal and likely the result of a hack. On July 25, DeFi platform Era Lend on a blockchain using zkSync was also hacked for $3.4 million due to a read-only re-login error.