Curve Finance offers 1.85 mln bounty to recover stolen crypto funds
- The DeFi hack worth $73 million occurred across different Curve Finance pools on 30 July.
- The hacker has returned stolen funds only to a few pools. $19 million in assets still remain unrecovered.
DeFi protocol Curve Finance has offered a bounty of $1.85 million to anyone who can identify the exploiter responsible for the recent reentrancy attack.
The crypto hack occurred on 30 July, resulting in the theft of more than $73 million in crypto assets from Curve’s different pools. The affected pools included Alchemix, JPEGd and Metronome.
#PeckShieldAlert A total of ~$73.5M worth of cryptos on #Ethereum were stolen in the #Curve Reentrancy exploit. So far, ~73% of them (~$52.3M) have been returned. The remaining ~$19.7M worth of cryptos on #Ethereum have not yet been returned by the 1st Curve CRV-ETH exploiter…
— Leviathan News (@leviathan_news) August 7, 2023
Reentrancy is a common bug that provides hackers opportunities to trick a smart contract into stealing assets by making repeated calls, or software commands, by making repeated calls to a protocol. The attack was found to be caused due to a faulty Vyper code. The code forms the foundation of several parts of the Curve Finance system.
The affected protocols, including Curve Finance, first offered a bug bounty of 10% to the hacker on 3 August. Though the hacker accepted the offer, they only returned the stolen funds to Alchemix and JPEGd.
The JPEG'd DAO confirms receipt of 5,494.4 WETH back to the JPEG'd Multisig for a total of 5,495.4 WETH. A 10% white-hat bounty of 610.6 WETH was awarded to the owner of the address that recovered funds from the pETH exploit.https://t.co/nIBwHHxfQU
— JPEG'd (@JPEGd_69) August 4, 2023
Over $19 million in stolen funds are still remaining.
Curve Finance announced on 6 August that the deadline for the hacker to return all the funds has passed. It then announced a bounty worth 10% of the unrecovered funds, $1.85 million. The protocol also said that it will take the matter to court for conviction.
The deadline for the CRV/ETH exploiter passeshttps://t.co/VphQ0bfYr2 pic.twitter.com/x8LP9Tx4rs
— Curve Finance (@CurveFinance) August 6, 2023
How the DeFi space is coping with the attack
In the aftermath of Curve Finance’s exploit, the DeFi vertical of the crypto ecosystem has experienced a 7% downturn in total value locked (TVL). DeFi TVL held across multiple chains stood at around $41 billion, as per DefiLlama.
The lending DeFi protocol, AAVE, suffered a decline of nearly 7% within a week. This was due to the protocol’s significant exposure caused by Curve Finance founder Michael Egorov’s loans on its platform.
Egorov had loans against the project’s native CRV tokens across several DeFi lenders. Later, it emerged that Ergorov had executed several over-the-counter deals worth $42.4 million with several notable crypto influencers.