There are new developments regarding Curve Finance’s hacker exploits. Reports indicate that the hackers had returned approximately 73% of the stolen Curve Finance tokens, about $53 million.
The returned tokens include $22 million worth of assets taken from AlchemixFi, $11.5 million from Jpegd, $6 million from Metronome, and $13 million from Curve trading pool. This positive development has mitigated some of the losses incurred by the affected projects.
It has also helped stabilize the price volatility of Curve Finance’s native token, CRV. The exploited protocols, including Curve Finance, Alchemix, and Metronome, had announced a bug bounty of 10% of the stolen funds to incentivize the hackers to return the assets.
This approach has yielded results, with the hacker voluntarily returning a significant amount of the funds.
A Huge Reward To Identify The Hackers
Earlier, Curve Finance announced a $1.85 million bug bounty reward for anyone who can identify the hacker responsible for draining over $61 million from its stable pools last week. The exploit had exposed vulnerabilities in the Vyper programming language used by Curve and other affected protocols.
Initially, the affected projects, including Alchemix and JPEGd, offered the hacker a 10% bounty worth more than $6 million. In response, the hacker returned some assets to JPEG and Alchemix.
However, the deadline for full refunds passed, and the hacker didn’t complete refunds of the assets of other impacted pools. Hence, Curve Finance extended the bug bounty to the public, offering a reward equivalent to 10% of the remaining exploited funds, which is $1.85 million.
The platform stated that anyone who can identify the attacker in a way that leads to a conviction in the courts will receive a reward. But the platform clarified that should the exploiter choose to return the funds in full, further pursuit would be halted.
Hacker Reveals Motive Behind Refunds
Before returning the funds, the hacker left a message for the Alchemix and Curve teams, stating that the refunds were not due to the fear of being caught but out of a desire not to ruin the projects involved. The assault exploited susceptible versions of the Vyper programming language with reentrancy attacks aimed at the stable pools.
This incident further raises concerns about the security of DeFi projects. Despite the evolution of the DeFi space, security remains a top issue project development teams struggle with.
Incidents like this highlight the importance of robust security measures and timely responses to smart contracts and protocol vulnerabilities. With the successful recovery of a significant portion of the stolen funds, the affected projects can now focus on strengthening their security measures to prevent such exploits in the future.