MEV bot runner 'c0ffeebabe.eth' returns $5.4 million amid Curve exploit

Quick Take

  • A white hat MEV bot operator named ‘c0ffeebabe.eth’ ethically returned 2,879 ETH ($5.4 million) to Curve Finance. 
  • The bot front-ran a malicious hacker and secured the funds which were later returned to Curve.

In an act of ethical hacking, an MEV bot operator bearing the ENS name ‘c0ffeebabe.eth’ returned 2,879 ETH (valued at approximately $5.4 million) to Curve Finance. The funds had been diverted from the CRV-ETH liquidity pool during an exploit.

Curve faced a major hack yesterday that took place in two distinct phases. Initially, an estimated $26 million was appropriated due to a reentrancy vulnerability within its factory pools. This adversely impacted multiple projects, including JPEG'd, Metronome, and Alchemix.

This initial attack was succeeded by a second phase wherein 7.1 million CRV ($4.4 million) and 7,680 wrapped ether ($14.37 million) were drained from Curve Finance’s CRV-ETH pool.

Employing an MEV bot, the ethical hacker c0ffeebabe.eth was able to front-run a malicious hacker, securing the aforementioned 2,879 ETH during the second phase. This sum was later duly returned by c0ffeebabe.eth to the Curve deployer address, presumably its rightful custodian, according to on-chain analysis. 

Code vulnerability under scrutiny


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

The Curve incident was precipitated by a vulnerability in an outdated version of the Vyper programming language that allowed for reentrancy issues in Curve’s smart code. The lapse enabled attackers to siphon off funds from several projects.

Security firm PeckShield estimated that, in light of this vulnerability and subsequent malicious activities, the total assets siphoned from Curve pools amount to $52 million. However, after c0ffeebabe.eth's intervention, the amount lost falls to $46.5 million.

Curve Finance’s total value locked (TVL) has suffered a steep decline since the attack, dropping from $3.26 billion on July 30 to a $1.74 billion, constituting an almost 46% drop within a 24-hour span, according to data from DefiLlama.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]


To contact the editor of this story:
Adam James at
[email protected]