Curve Finance witnessed a hack attack that drained over $61 million from its Vyper-based liquidity pools on July 30. The report revealed the attacker leveraged a vulnerability in Curve’s Vyper 0.2.15 reentrancy lock.
After the hack, the protocol offered a bounty to the hacker. But based on a report on August 6, the hacker failed to meet the request. As a result, Curve Finance has offered a bounty to anyone who could identify the exploiter.
Curve Extends $1.85 Million Bounty To The Public To Encourage Full Stolen Fund Recovery
In a tweet on July 30, Curve Finance’s team revealed the attack affected four liquidity pools for Ethereum pairs, CRV, Curve Finance’s governance token, and several ERC-20 tokens issued on Metronome Synth (smETH), Alchemix (alETH), and JPEG’d (pETH).
In detail, the exploiter carted away $13.6 million from Alchemix’s alETH-ETH pool, $11.4 million from JPEGd’s pETH-ETH, and $1.6 million from Metronome’s sETH-ETH.
Related Reading: Trader Makes 800 ETH In Five Minutes On Blur NFT Marketplace
Curve Finance CEO Michael Egorov confirmed that the protocol lost 32 million Curve DAO (CRV) tokens worth more than $22 million from its swap pool.
On August 3, Curve Finance and other affected protocols offered the hacker 10% ($6 million) of the stolen amount as a bounty.
However, after accepting the offer, the hacker only returned stolen assets only to Alchemix and JPEGd, without completely refunding other affected pools. By August 6, the protocol announced the deadline given to the exploiters for the voluntary fund return passed at 8:00 am UTC.
Following this, Curve Finance stated that it had extended the Bounty to the public, offering a reward worth 10% of the unrecovered stolen funds, about $1.85 million. Basically, whoever brings information that could lead to the hackers’ arrest and criminal conviction will get the bounty.
However, the protocol also stated that it would drop the case if the exploiter changed his mind and voluntarily returned the remaining funds in full.
Hackers Stole $73,000 In Crypto From BSC Following The Curve Finance Exploit
The Curve exploits exposed vulnerabilities across several decentralized finance projects. Following Curve Finance’s exploit, the BNB Smart Chain (BSC) also fell victim to a copycat attack due to a Vyper programming language vulnerability. A July 30 tweet by BlockSec revealed that hackers stole approximately $73,000 worth of crypto assets on the BSC chain.
White and black-hat hackers have been clashing while trying to disrupt each other’s attempt to recover funds or move funds since news of the exploits circulated in the industry.
One such instance is a white hat hacker dubbed “coffebabe.eth,” who was able to hijack some funds for safekeeping. On July 30, the white-hat hackers sent an on-chain message asking the affected protocols to contact them to retrieve the funds.
Source: https://bitcoinist.com/curve-finance-exploiter-returns-incomplete-funds/