Curve Finance offers $1.85 million bounty for hacker responsible for siphoning funds

82
3
Curve Finance offers $1.85 million bounty for hacker responsible for siphoning funds

Curve Finance, the decentralized finance protocol that siphoned about $61 million in funds, has extended its bug bounty offer of $1.85 million to anyone who can identify the hacker responsible for draining funds from the platform.

Curve's offer comes after the attacker failed to return all the funds before the deadline.

On Aug. 3 Curve and other protocols impacted by the exploit pooled a bug bounty equivalent to 10% of the total funds drained from the platform, worth more than $6 million. Since the hacker did not return all the stolen funds before the deadline, DeFi opened the bug bounty to the public and offered a prize for anyone who could successfully identify the malicious actor.

Curve Finance said in an Ethereum transaction's input data.

Curve Finance's latest tweet came on the heels of Alchemix's announcement that it would return all of its stolen funds, which included 4,819 alETH and 2259 ETH worth nearly $13 million.

JPEG also received around $10 million of returned stolen money from the Curve Finance hacker, consisting of 5,495 Ether.

The hacker received a 610.6 ETH bounty as payment for the stolen funds, which were stolen on July 30.

d DAO confirms receipt of 5,494.4 WETH back to JPEG'd Multisig for a total of 5,495.4 WETH. A 10% White-hat bounty of 610.6 WETH was awarded to the owner of the address that recovered funds from the pETH exploit, DeFi said in a statement.

d team, based on confidential discussions, assert that upon successful return of the funds to the JPEG'd DAO multisig, ''we shall not make any legal action 'against the operator of the address 0x6Ec21d1868743a443ab1eb50ab6ae67fc31af2c74eefd561661bbd' including the entity controlling above addresses previously secured from the pETH/ETH pool in transaction 0xa84aa065ce61dbb1eb50ab6ae67fc31a9da50dd2c74eefd561661bbfce2f1620c'' including the entity controlling above addresses previously secured 6106 WETH from the pETH/ETH pool.

It's worth noting that the malicious actor posted a message seemingly directed at Alchemix and Curve protocols noting that they were willing to return the funds, not because the people involved could find them, but because they said they did not want to 'ruin' the projects involved.

'I'm refunding you not because you can find me, it's because I don't want to ruin your project, maybe it's a lot of money for a lot of people, but not for me, I'm smarter than all of you,' he said.

We will see more overlap between CEXs and DEXs in the future for a better balance of the strengths of each, he said.

On July 30, the malicious actor exploited multiple Curve Finance stable pools using the Vyper programming language because of the vulnerability found in Vyper's versions 0.2.15, 0.2.16 and 0.3.0.

The attack resulted in Alchemix's alETH-ETH lost $13.6 million, JPEG's pETH-ETH pool witnessed $11.4 million in funds leaving the platform, and Metronome's sETH-ETH pool lost $1.6 million.

The hacker, Curve Finance CEO Michael Egorov, said 32 million Curve DAO tokens amounting to approximately $22 million were also drained from the swap pool because of the exploit.