Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/curve-reentrancy

Name: curve-reentrancy
Author: apegurus

skills/case-studies/curve-reentrancy/SKILL.md

Case study of the 2023 Curve reentrancy exploit: Vyper compiler bug draining ~$70M

development

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus curve-reentrancy

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:19 AM121.3s1 file scanned

SKILL.md

name:: curve-reentrancy
description:: Detects Vyper's nonreentrant decorator. In certain compiler versions (0.2.15, 0.2.16, 0.3.0), this was broken for cross-function reentrancy.
category:: reference
source_url:: https://rekt.news/curve-lp-rekt-vyper-reentrancy/
source_license:: CC0
imported_at:: 2025-02-20T00:00:00Z
- regex:: @nonreentrant
severity:: High

Curve Reentrancy (2023)

Overview

In July 2023, several Curve Finance liquidity pools (alETH, msETH, pETH) were exploited for approximately $70 million. Unlike most reentrancy attacks caused by developer error, this was caused by a bug in the Vyper compiler (versions 0.2.15, 0.2.16, and 0.3.0) that failed to properly implement reentrancy guards.

Root Cause

The vulnerability was a compiler-level bug in Vyper's @nonreentrant decorator. In the affected versions, the compiler used the same storage slot for reentrancy locks across different functions if they were in the same "reentrancy group", but it failed to correctly handle the lock state in certain scenarios involving cross-function calls. This allowed an attacker to re-enter a contract through a different function even if both were marked @nonreentrant.

Attack Flow

Attacker identified Curve pools using vulnerable Vyper versions (specifically those with add_liquidity and remove_liquidity functions).
Attacker called add_liquidity to deposit assets.
During the execution of add_liquidity, the contract made an external call (e.g., to a token's transfer or fallback function).
The attacker's malicious contract re-entered the Curve pool by calling remove_liquidity.
Because the reentrancy guard was broken at the compiler level, the second call was allowed to proceed before the first call's state updates (like updating the pool's total supply) were finalized.
This allowed the attacker to withdraw more assets than they were entitled to.

Impact

Loss: ~$70M
Protocol: Curve Finance
Chain: Ethereum
Date: 2023-07-30

Key Transactions

Attack tx (pETH pool): 0xa84aa0650c3e6f849339384388e1a769a540003ade07ba379c2d3efc4fb7ca7d

Detection Heuristics

Pattern 1: Use of Vyper compiler versions 0.2.15, 0.2.16, or 0.3.0.
Pattern 2: Contracts with multiple functions using the same reentrancy lock key.

Remediation

Fix 1: Upgrade to a patched version of the Vyper compiler (0.3.1 or later).
Fix 2: Manually implement reentrancy guards using storage variables if the compiler version cannot be changed.
Fix 3: Conduct thorough audits that include checking the underlying compiler and infrastructure vulnerabilities.

References

rekt.news/curve-lp-rekt-vyper-reentrancy/
hackmd.io/@vyperlang/H1No9_h_h

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/case-studies/curve-reentrancy ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT

apegurus/curve-reentrancy

skills/case-studies/curve-reentrancy/SKILL.md

Case study of the 2023 Curve reentrancy exploit: Vyper compiler bug draining ~$70M

development

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus curve-reentrancy

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:19 AM121.3s1 file scanned

SKILL.md

name:: curve-reentrancy
description:: Detects Vyper's nonreentrant decorator. In certain compiler versions (0.2.15, 0.2.16, 0.3.0), this was broken for cross-function reentrancy.
category:: reference
source_url:: https://rekt.news/curve-lp-rekt-vyper-reentrancy/
source_license:: CC0
imported_at:: 2025-02-20T00:00:00Z
- regex:: @nonreentrant
severity:: High

Curve Reentrancy (2023)

Overview

Root Cause

Attack Flow

Attacker identified Curve pools using vulnerable Vyper versions (specifically those with add_liquidity and remove_liquidity functions).
Attacker called add_liquidity to deposit assets.
During the execution of add_liquidity, the contract made an external call (e.g., to a token's transfer or fallback function).
The attacker's malicious contract re-entered the Curve pool by calling remove_liquidity.
Because the reentrancy guard was broken at the compiler level, the second call was allowed to proceed before the first call's state updates (like updating the pool's total supply) were finalized.
This allowed the attacker to withdraw more assets than they were entitled to.

Impact

Loss: ~$70M
Protocol: Curve Finance
Chain: Ethereum
Date: 2023-07-30

Key Transactions

Attack tx (pETH pool): 0xa84aa0650c3e6f849339384388e1a769a540003ade07ba379c2d3efc4fb7ca7d

Detection Heuristics

Pattern 1: Use of Vyper compiler versions 0.2.15, 0.2.16, or 0.3.0.
Pattern 2: Contracts with multiple functions using the same reentrancy lock key.

Remediation

Fix 1: Upgrade to a patched version of the Vyper compiler (0.3.1 or later).
Fix 2: Manually implement reentrancy guards using storage variables if the compiler version cannot be changed.
Fix 3: Conduct thorough audits that include checking the underlying compiler and infrastructure vulnerabilities.

References

rekt.news/curve-lp-rekt-vyper-reentrancy/
hackmd.io/@vyperlang/H1No9_h_h

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/case-studies/curve-reentrancy ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT