Curve Recoups 73% of Hacked Funds, Bolstering CRV Sentiment
A public bounty is now open for finding the remaining funds with a $1.8 million reward.
Aug 7, 2023 at 7:21 a.m. UTC
/arc-photo-coindesk/arc2-prod/public/LXF2COBSKBCNHNRE3WTK2BZ7GE.png)
- White-hat hackers and attackers have returned over 73% of all funds stolen from Curve Finance after the lending platform was attacked last week.
- The relatively swift recovery has bolstered sentiment for CRV tokens, which have pared most of the losses from a 30% drop following the attack.
Curve Finance has recouped 73% of funds stolen during a hack that saw the lending platform lose over $73 million worth of tokens, causing contagion effects across the broader ecosystem.
Over the past week, all $22 million in ether (ETH) and ether derivatives stolen from lending protocol Alchemix were returned. A trading bot returned 90% in ether stolen from lending platform JPEG'd; pseudonymous ethical hacker “c0ffeebabe.eth” returned over $6 million taken from decentralized-finance, or DeFi, platform Metronome and a Curve trading pool; and another ethical hacker returned $13 million from Alchemix.
Curve, which lets users cheaply swap stablecoins on its platform, was hit by a reentrancy attack that allowed attackers to steal tokens from Curve, and lending and borrowing platforms Metronome and Alchemix. Those affected protocols have since offered a 10% bounty for returning the assets by Aug. 6, as reported.
Reentrancy is a common bug that allows attackers to trick a smart contract by making repeated calls, or software commands, to a protocol in order to steal assets. The attack was traced to faulty code on Vyper, a programming language used to power parts of the Curve system.
Shortly following the attacks, Curve offered a 10% bounty to attackers for the return of the funds. On Friday, the attacker started to return funds to Alchemix after confirming the deposit address in a blockchain message.
Over $18 million in stolen funds are still remaining, with Curve opening up the bounty to the public on Sunday night.
“The deadline for the voluntary return of funds in the Curve exploit passed at 0800 UTC,” Curve Finance said in a blockchain transaction. “We now extend the bounty to the public, and offer a reward valued at 10% of remaining exploited funds (currently $1.85M) to the person who is able to identify the exploiter in a way that leads to a conviction in the courts.
“If the exploiter chooses to return the funds in full, we will not pursue this further,” the protocol added.
The return of funds has buoyed sentiment for Curve — which is often referred to as one of the most influential platforms in the DeFi ecosystem — and its governance tokens CRV.
CRV lost almost 30% of value, from 72 cents to as low as 50 cents, in the days following the exploit and has since pared losses amid the positive developments, trading at 61 cents on Monday morning.
:format(webp)/s3.amazonaws.com/arc-authors/coindesk/6c6bb5af-692c-4fcf-9f8b-a75d0549effd.png)
Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.