- The DeFi hack worth $73 million occurred across different Curve Finance pools on 30 July.
- The hacker has returned stolen funds only to a few pools. $19 million in assets still remain unrecovered.
DeFi protocol Curve Finance has offered a bounty of $1.85 million to anyone who can identify the exploiter responsible for the recent reentrancy attack.
The crypto hack occurred on 30 July, resulting in the theft of more than $73 million in crypto assets from Curve’s different pools. The affected pools included Alchemix, JPEGd and Metronome.
#PeckShieldAlert A total of ~$73.5M worth of cryptos on #Ethereum were stolen in the #Curve Reentrancy exploit. So far, ~73% of them (~$52.3M) have been returned. The remaining ~$19.7M worth of cryptos on #Ethereum have not yet been returned by the 1st Curve CRV-ETH exploiter…
— Leviathan News (@leviathan_news) August 7, 2023
Reentrancy is a common bug that provides hackers opportunities to trick a smart contract into stealing assets by making repeated calls, or software commands, by making repeated calls to a protocol. The attack was found to be caused due to a faulty Vyper code. The code forms the foundation of several parts of the Curve Finance system.
The affected protocols, including Curve Finance, first offered a bug bounty of 10% to the hacker on 3 August. Though the hacker accepted the offer, they only returned the stolen funds to Alchemix and JPEGd.
The JPEG'd DAO confirms receipt of 5,494.4 WETH back to the JPEG'd Multisig for a total of 5,495.4 WETH. A 10% white-hat bounty of 610.6 WETH was awarded to the owner of the address that recovered funds from the pETH exploit.https://t.co/nIBwHHxfQU
— JPEG'd (@JPEGd_69) August 4, 2023
Over $19 million in stolen funds are still remaining.
Curve Finance announced on 6 August that the deadline for the hacker to return all the funds has passed. It then announced a bounty worth 10% of the unrecovered funds, $1.85 million. The protocol also said that it will take the matter to court for conviction.
The deadline for the CRV/ETH exploiter passeshttps://t.co/VphQ0bfYr2 pic.twitter.com/x8LP9Tx4rs
— Curve Finance (@CurveFinance) August 6, 2023
How the DeFi space is coping with the attack
In the aftermath of Curve Finance’s exploit, the DeFi vertical of the crypto ecosystem has experienced a 7% downturn in total value locked (TVL). DeFi TVL held across multiple chains stood at around $41 billion, as per DefiLlama.
Source: DefiLlama
The lending DeFi protocol, AAVE, suffered a decline of nearly 7% within a week. This was due to the protocol’s significant exposure caused by Curve Finance founder Michael Egorov’s loans on its platform.
Source: DefiLlama
Egorov had loans against the project’s native CRV tokens across several DeFi lenders. Later, it emerged that Ergorov had executed several over-the-counter deals worth $42.4 million with several notable crypto influencers.
