MEV bot runner 'c0ffeebabe.eth' returns $5.4 million amid Curve exploit

In an act of ethical hacking, an MEV bot operator bearing the ENS name ‘c0ffeebabe.eth’ returned 2,879 ETH (valued at approximately $5.4 million) to Curve Finance. The funds had been diverted from the CRV-ETH liquidity pool during an exploit.

Curve faced a major hack yesterday that took place in two distinct phases. Initially, an estimated $26 million was appropriated due to a reentrancy vulnerability within its factory pools. This adversely impacted multiple projects, including JPEG'd, Metronome, and Alchemix.

This initial attack was succeeded by a second phase wherein 7.1 million CRV ($4.4 million) and 7,680 wrapped ether ($14.37 million) were drained from Curve Finance’s CRV-ETH pool.

Employing an MEV bot, the ethical hacker c0ffeebabe.eth was able to front-run a malicious hacker, securing the aforementioned 2,879 ETH during the second phase. This sum was later duly returned by c0ffeebabe.eth to the Curve deployer address, presumably its rightful custodian, according to on-chain analysis. 

Code vulnerability under scrutiny

The Curve incident was precipitated by a vulnerability in an outdated version of the Vyper programming language that allowed for reentrancy issues in Curve’s smart code. The lapse enabled attackers to siphon off funds from several projects.

Security firm PeckShield estimated that, in light of this vulnerability and subsequent malicious activities, the total assets siphoned from Curve pools amount to $52 million. However, after c0ffeebabe.eth's intervention, the amount lost falls to $46.5 million.

Curve Finance’s total value locked (TVL) has suffered a steep decline since the attack, dropping from $3.26 billion on July 30 to a $1.74 billion, constituting an almost 46% drop within a 24-hour span, according to data from DefiLlama.