Curve Finance, a decentralized finance (DeFi) protocol, is now rewarding individuals capable of identifying the individual behind the draining of more than $61 million from its pools on July 30 unless the hacker fully releases the funds. This bug bounty offer is open to anyone who can pinpoint the exploiter responsible for the incident in a way leading to definitive legal repercussions.
Curve extends bounty offer to the public
Curve Finance communicated the offer through an Ethereum transaction’s input data stating that the cutoff time for the voluntary return of funds related to the Curve exploit was 0800 UTC, and had passed. Subsequently, they highlighted their decision to broaden the scope of the bounty to the general public. The protocol is now offering a reward of 10% of the remaining exploited funds (currently valued at $1.85 million) to anyone who can successfully identify the exploiter in a manner that results in a conviction in court.
Curve also clarified that they would drop any further actions if the exploiter returned the entire amount of funds they drained. While some of the funds have been returned, before returning the funds, the attacker left a message seemingly aimed at the Alchemix and Curve teams, stating their intention to refund the funds. However, they added that the decision to return the funds was not driven by the fear of being identified but rather out of a desire not to “ruin” the projects associated with the exploit.
Curve Finance’s $61 million attack
On July 30, an attacker used vulnerable versions of the Vyper programming language to execute reentrancy attacks on specific stable pools within Curve Finance, draining over $61 million. This incident stressed DeFi protocols, raising concerns about its impact on the crypto ecosystem, particularly due to the risk posed to all pools with Wrapped Ether (WETH).
Amidst the crisis, the DeFi community provided support to Curve Finance. On July 31, a white hat hacker successfully recovered approximately 2,879 Ether valued at around $5.4 million from the exploiter and returned it to Curve Finance. Shortly afterward, another ethical hacker intervened, retrieving nearly 3,000 ETH and returning it to Curve’s deployer address.
