Curve Finance Offers Bounty to Identify Exploiter
Curve Finance offers $1.85 million bounty to identify hacker after $60 million exploit; some funds returned voluntarily, security concerns raised in DeFi ecosystem.
- Curve Finance offers $1.85M bounty for exploiter ID after $60M loss.
- Deadline passes for voluntary return of stolen funds.
- Hacker returns some funds but misses refund deadline.
- Hacker exploits vulnerabilities, prompts DeFi security concerns.
Curve Finance, the decentralized finance (DeFi) platform that suffered a devastating exploit resulting in a loss of over $60 million, has announced a bounty of $1.85 million to anyone who can identify the exploiter. In a Twitter announcement on Monday, the DeFi protocol stated that the deadline for the “voluntary return of funds” in the Curve Finance heist has already passed.
“We now extend the bounty to the public, and offer a reward valued at 10% of remaining exploited funds (currently $1.85M) to the person who is able to identify the exploiter in a way that leads to a conviction in the courts,” the announcement read.
Dear hacker, you’ve got an incoming messagehttps://t.co/ZKJjrO65PX
— Curve Finance (@CurveFinance) August 3, 2023
Curve Finance’s Offer to the Hacker
Following the exploit, Curve Finance had initially offered the anonymous hacker 10% of the stolen funds as a reward for returning the assets by August 6. This offer was also joined by other impacted protocols, including lending protocol Alchemix and NFT lending protocol JPEGd. The DeFi projects assured the hacker that they would not take any further legal actions or pursue convictions if the stolen funds were voluntarily returned.
On the same day that Curve announced the bounty to identify the hacker, the exploiter returned some of the stolen cryptocurrency to Alchemix and JPEGd after receiving a 10% bug bounty. The hacker confirmed the deposit address by leaving a message on the blockchain. According to a tweet by PeckShieldAlert, approximately $52.3 million, or 73% of the stolen funds, have been returned by various parties.
In a message to the Alchemix and Curve teams, the hacker stated that the return of funds was not due to fear of being caught but rather to avoid negatively impacting the projects. They proclaimed, “I want to clarify that I’m refunding you not because you can find me, it’s because I don’t want to ruin your project. Maybe it’s a lot of money for a lot of people, but not for me, I’m smarter than all of you.”
Failure to Complete Refunds Prompts Bounty
However, the exploiter did not complete the refunds to Curve Finance, exceeding the deadline set by the protocol. As a result, Curve has opened the bounty to the public and announced that the perpetrator, once apprehended, would face definitive legal repercussions.
It is believed that the hacker utilized reentrancy attacks on vulnerable versions of the Vyper programming language to target DeFi protocols. The incident highlights the ongoing challenges faced by the DeFi ecosystem in securing its platforms against exploitation and the need for enhanced security measures.