Curve Finance, a decentralized finance (DeFi) protocol that facilitates the trading of stablecoins and other tokens, saw several of its liquidity pools exploited on Sunday as a result of a bug in smart contracts that use versions 0.2.15, 0.2.16 and 0.3.0 of the Vyper programming language.

Blockchain security firm PeckShield estimates that, so far, around $52 million has been stolen from a number of DeFi protocols that relied on Curve’s liquidity pools. However, some on-chain analysts believe this figure could be much higher.

Among those affected by the attack was decentralized exchange Ellipsis, which said a number of BNB stablepools that used a Vyper compiler had been exploited. DeFi lending platform Alchemix’s alETH-ETH pool was drained for $13.6 million and NFT lending protocol JPEGd’s pETH-ETH pool lost $11.4 million.

An initial investigation of the exploit pointed to some versions of the Vyper compiler incorrectly implementing a re-entrancy guard, a security measure for smart contracts that fends off re-entrancy exploits by preventing multiple functions from being called at the same time. 

Following the chaos, a number of developers across the ecosystem came together to carry out a whitehat rescue operation for the funds at risk. Two of those attempts, however, were front-run by hackers just minutes before they could be executed.

Analysts at BlockSec believe that the hackers’ wallet was funded from crypto exchange Binance. 

The price of Curve DAO’s native token CRV dropped 15% to $0.62 following the news, prompting fears that a liquidation could be triggered on Curve founder Michael Egorov’s borrowing position on Aave. If the price of CRV falls below $0.42, market participants cautioned that around $100 million could be liquidated, the effects of which would be felt throughout the wider DeFi ecosystem.

Egorov has since paid back a significant amount of his debt, making the risk of a cascading liquidation event far more unlikely.