Vyperlang team with special thanks to Omniscia team[^byline-note] [^byline-note]: Special thanks to the Omniscia team, which, while not directly affiliated with Vyper, contributed substantial co-authorship, feedback and review of this post-mortem report On the 30th of July, 2023, multiple Curve.Fi liquidity pools were exploited as a result of a latent vulnerability in the Vyper compiler, specifically in versions 0.2.15, 0.2.16, and 0.3.0. While bug was identified and patched by the v0.3.1 release, the impact to protocols using the vulnerable compilers was not realized at the time and they were not explicitly notified. The vulnerability itself was an improperly implemented re-entrancy guard that could be bypassed under certain conditions which we will delve into in this report. While the hacks themselves have been sufficiently covered in other post-mortems including the official one by Curve.Fi, we would like to take a deep-dive into what exactly went wrong with the Vyper compiler itself, why the vulnerability was hard to spot, and what the ecosystem as a whole can learn from these incidents. If you are familiar with the blockchain space and why Vyper exists, we recommend skipping the Background section as it contains very basic information that you most likely are aware of. Vyper