On April 20th, 2020, a critical vulnerability was discovered in the Curve sUSD pool contract functioning. The Curve team has directly paused the pool to avoid putting funds at extra risks and to ensure investors a complete safety and security regarding this new issue. To solve this recent problem, the Curve team is also starting to prepare a disclosure around the specifics of the vulnerability. At the moment of writing, no known issues with the sUSD token contract or other Curve contracts have been identified. The system is still under important investigations, and the team will be sharing more information as soon as possible. The core team is also encouraging anyone contributing liquidity to the sUSD Curve pool to withdraw it before the migration to a new contract.
So, what’s next?
The Curve team has chosen to deploy a new non-interest-bearing pool for sUSD, USDC, DAI USDT and will transition the SNX incentives to this new pool later this week after community review. Curve has been working on an implementation of Curve that utilises Aave for all tokens in the pool. The changes required to this pool requires a complete audit which will be arranged as soon as the new contract is ready. Once the audit is complete and any remediations are performed, the Curve team will deploy this new pool as soon as possible. The system will thus transition the SNX incentives to this new Curve aPool using (aUSDC, aSUSD, aUSDT & aDAI) and ensures a simple mechanism for transitioning between these pools is available.Without further action, the funds are still safe as the Curve pool is paused and only withdrawals are enabled.
More details on the vulnerability and how to withdraw funds can be read at the official page https://www.blog.synthetix.io