Curve offering $1.85 million bounty for exploiter's identity (and conviction)

Quick Take

  • Though the exploiter of Curve Finance returned some stolen funds, the DeFi project is offering a public bounty for information about their identity that could lead to a conviction — unless the hacker returns the funds in full.

Curve is offering a $1.85 million bounty to anyone who can accurately identify the DeFi protocol's exploiter in a way that leads to definitive legal repercussions.

"The deadline for the voluntary return of funds in the Curve exploit passed at 0800 UTC," Curve publicly wrote in an Ethereum transaction's input data, adding: "We now extend the bounty to the public, and offer a reward valued at 10% of remaining exploited funds (currently $1.85M USD) to the person who is able to identify the exploiter in a way that leads to a conviction in the courts."

Curve also noted that it would not pursue the issue if the exploiter returns the funds in full, and shared the full message on X (formerly Twitter).

Curve exploiter: 'I'm smarter than all of you'

Over $73 million was drained from Curve's pools on July 30 after an exploiter utilized vulnerable versions of the Vyper programming language to execute reentrancy attacks on targeted stable pools.

The attacker returned stolen crypto to projects Alchemix and JPEGd after being offered a 10% bug bounty, but did not refund other exploited pools.

"I want to clarify that I'm refunding you not because you can find me, it's because I don't want to ruin your project," they explained in a transaction, adding: "Maybe it's a lot of money for a lot of people, but not for me, I'm smarter than all of you."

Funds recovered

Curve’s factory pools reported a loss of $73.5 million, spread across multiple projects, including JPEGd, Metronome, and Alchemix. As per the data from security firm PeckShield, $53 million, which accounts for 73% of the stolen funds, has been recovered.

The assailant who targeted Alchemix’s alETH-ETH pool on Curve handed back the entire $22 million. This figure consists of more than 12,000 ether (ETH). Additionally, a whitehat intervention successfully prevented a $13 million heist from Alchemix.

The individual responsible for the breach at JPEGd’s pETH-ETH pool returned 90% of the drained assets, amounting to 5,495 ETH ($11.5 million).

Furthermore, the funds misappropriated from Metronome’s sETH-ETH pool and Curve Finance’s CRV-ETH main pool, close to $7 million in total, were returned by an MEV bot operator going by the ENS name c0ffeebabe.eth. PeckShield indicated that there's still an outstanding $19.7 million in stolen funds yet to be returned.

This marks a period of relief for the CRV token. Its value plunged by nearly 30%, dropping from $0.72 to $0.5 immediately after the hack. Currently, it is trading at $0.61 as funds are being returned.

Updated with additional information about the returned funds.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.