Curve Finance, a prominent cryptocurrency trading platform, is offering a $1.85 million public bounty to anyone who can correctly identify the DeFi protocol’s exploiter in a manner that results in conclusive legal ramifications. The company has further stated that if the perpetrator returns the amount in full, it will drop the case. The complete statement was released on the social media application X.
In their official statement, Curve stated, “The deadline for the voluntary return of funds in the Curve exploits passed at 0800 UTC.” Curve publicly added in the input data of an Ethereum transaction, “We now extend the bounty to the public and offer a reward valued at 10% of remaining exploited funds (currently $1.85M USD) to the person who is able to identify the exploiter in a way that leads to a conviction in the courts.”
What exactly transpired
On July 30, an exploiter used insecure variants of the Vyper programming language to perform reentrancy assaults on targeted stable inventories, draining over $73 million from Curve’s manufacturing pools. So, Curve is now offering $1.85 million in bounty over financial damage to numerous of its initiatives, notably Alchemix, Metronome and JPEGd. Fortunately, $53 million, that is, 73% of the stolen cash, has been recovered, according to the statistics published by PeckShield, a security firm.
The attacker who attacked Alchemix’s alETH-ETH pool on Curve returned the whole $22 million. This amount includes almost 12,000 ether (ETH). A timely intervention by an ethical cyber-cracker also successfully halted a $13 million Alchemix robbery. The perpetrator of the hack at JPEGd’s pETH-ETH pool recovered 90% of the drained funds, totalling 5,495 ETH ($11.5 million).
Furthermore, about $7 million in cash taken from Metronome’s sETH-ETH pool and Curve Finance’s CRV-ETH main pool were returned by an MEV bot operator going under the ENS handle c0ffeebabe.eth. PeckShield stated that there is still $19.7 million in stolen funds that has yet to be refunded.
For the CRV token, though, this is a time of tangible relief. Its value dropped by roughly 30%, from $0.72 to $0.5 shortly after the attack. As funds are repaid, it is now trading at $0.61 – marked and fortuitous improvement considering the trying circumstances. The most interesting tale of the whole debacle was that after being promised a 10% bug bounty, the attacker refunded stolen coins to projects JPEGd and Alchemix, albeit they did not repay other vulnerable pools.
The exploiter is reported to have gone ahead to cheekily respond, “I want to clarify that I’m refunding you not because you can find me, but because I don’t want to ruin your project,” they said in a transaction, adding, “Maybe it’s a lot of money for a lot of people, but not for me, because I’m smarter than all of you.”
Companies wresting the incident
On the occasion of Curve offering $1.85 million bounty, the trio of MetronomeDAO, Curve Finance and Alchemix Finance looked towards successfully negotiating a voluntary refund with the assailant, but to no effect. They had also stated that they were planning legal action against the exploiter. Yesterday’s deadline expiry triggered a rush of comments on Crypto X, with some doubting that it would aid in the recovery of any, if not all, of the funds that have been subjected to such theft.
Many netizens were quick to speculate and suggest that the most probable figure to have perpetrated this cybercrime on Curve could be the infamous Lazarus gang, a North Korean hacking unit that made similar news this past week with another million-dollar vulnerability. “This is the state of the crypto justice system,” one person tweeted, adding, “and it’s all the fault of blockchains not having administration and security in depth built directly into the protocol of the blockchain level.”
Also Read: NY County Supreme Court spurns former Celsius Network CEO’s motion.