Curve Finance Announces $1.85 Million Bounty For Stable Pool Exploiter

Curve Finance, a popular decentralized (DeFi) protocol, has recently announced that it was rewarding persons capable of identifying the exploiters behind the draining of over $61 million from the platform’s stable pools on July 30. 

The huge bounty offer is open to every person who can pinpoint the individual behind the incident in such a way that would lead to definitive legal repercussions. 

Curve Finance Extends Bounty Offer to the Public

Curve Finance announced the public offer using an Ethereum transaction’s input data, noting that the allowed time for the voluntary return of the funds connected to the Curve exploit was 08:00 UTC, and that time is now elapsed. 

Curve and other protocols that were affected by the attack had previously offered a 10% bug bounty to the hacker on August 3. Upon agreeing to the offer, the hacker returned part of the stolen assets to JPEGd and Alchemix but did not refund other affected pools. 

Since the time allowed has elapsed, Curve announced that any person capable of identifying the hacker would receive assets worth $1.85 million. This recent announcement was extended in scope to include members of the general public. 

According to Curve, while the deadline for the voluntary return of stolen funds had passed, should the hacker elect to return the stolen funds, the platform “…will not pursue this further.” 

While returning the parts of the funds earlier, the hacker left a message that was seemingly targeted at Curve and Alchemix teams, noting their intention to return the funds. However, the hacker stated that the decision to return such funds was not based on fear of being recognized but rather out of a desire not to “ruin” the projects associated with the exploit.

Curve Finance (CRV) price chart from Tradingview.com

The $61 Million Reentrancy Attack

Members of the Curve Finance community were left shocked after a hacker utilized vulnerable versions of the Vyper programming language to implement reentrancy attacks on stable pools within Curve Finance on the 31st of July. 

The attack drained Curve Finance of over $61 million, including $13.6 million from Alchemix’s aIETH-ETH, $11.4 million from JPEGd’s pETH-ETH, and $1.6 million from Metronome’s sETH-ETH. The event raised concerns about the likely fallout in the cryptocurrency ecosystem, especially with respect to the risks posed to every pool using Wrapped Ether (WETH).

The DeFi community rallied around to provide support to Curve Finance and on the 31st of July, a white hat hacker was able to successfully recover from the exploiter about 2,879 Ether worth about $5.4 million, which was later returned to Curve Finance. Another ethical hacker also recovered about 3,000 ETH and refunded it to Curve Finance’s deployer address.