Decentralized finance (DeFi) protocol Curve Finance is extending a bug bounty offer to anyone who is able to identify the exploiter responsible for draining over $61 million from its pools on July 30.
Curve and other protocols affected by the attack offered a 10% bug bounty to the hacker on Aug. 3, totaling more than $6 million. Upon accepting the offer, the hacker returned stolen assets to Alchemix and JPEGd, but did not complete refunds to other affected pools. As the deadline has passed, anyone who can identify the attacker will now be rewarded with assets worth $1.85 million.
“The deadline for the voluntary return of funds in the Curve exploit passed at 0800 UTC. We now extend the bounty to the public, and offer a reward valued at 10% of remaining exploited funds (currently $1.85M USD) to the person who is able to identify the exploited in a way that leads to a conviction in the courts,” reads the on-chain message, adding that “if the exploiter chooses to return the funds in full, we will not pursue this further.”
— Curve Finance (@CurveFinance) August 6, 2023
Prior to returning the funds, the attacker posted a message that appears to have been directed at the Alchemix and Curve teams, claiming to be willing to return the funds only because they didn’t want to “ruin” the projects involved. “I’m refunding not because you can find me, it’s because I don’t want to ruin your project,” reads the on-chain message.
The attack occurred on July 30 and resulted in the drain of over $61 million in cryptocurrencies from Curve’s pools, including $13.6 million from Alchemix’s alETH-ETH, $11.4 million from JPEGd’s pETH-ETH, and $1.6 million from Metronome’s sETH-ETH. The hacker targeted stable pools using vulnerable versions of the Vyper programming language through reentrancy attacks.
The exploit exposed vulnerabilities across DeFi projects and sparked efforts to recover stolen funds across the ecosystem over the past week.