Curve Finance offers $1.85 million bounty to identify hacker responsible for pETH funds

52
3
Curve Finance offers $1.85 million bounty to identify hacker responsible for pETH funds

Curve Finance, the decentralized finance protocol that siphoned over $61 million in funds, has extended its bug bounty offer of $1.85 million to anyone who could identify the hacker responsible for draining funds from the platform.

Curve Finance's offer comes just days after the attacker failed to return all the money before the deadline.

On Aug. 3 Curve and other protocols impacted by the exploit pooled a bug bounty equal to 10% of the total money drained from the platform, amounting to more than $6 million. But since the hacker failed to return all the stolen money before the deadline, the DeFi opened the bug bounty to the public, offering a reward for anyone who could successfully identify the malicious actor.

Curve Finance said in an Ethereum transaction's input data.

Curve Finance's tweet came on the heels of Alchemix's announcement of the return of all of its stolen funds, which included 4,819 alETH and 2259 ETH worth nearly $13 million.

Non-fungible token and DeFi protocol JPEG also received about 10 million of recovered funds from the Curve Finance hacker, consisting of 5,495 Ether.

In payment for the stolen money, which was stolen on July 30, the hacker received a 610.6 ETH bounty.

The d DAO confirms receipt of 5,494.4 WETH back to the JPEG'd Multisig for a total of 5,495.4 WETH. A 10% white-hat bounty of 610.6 WETH was awarded to the owner of the address that recovered funds from the pETH exploit.

d team, based on confidential discussions, said that after successful return of the funds to JPEG's DAO multisig,'shut down any legal action against the operator of the address 0x6Ec21d1868743a443c259ade4953f4953F9978538 and 0x9d1ec3375252d4ab3c128f9774be266f67faa0bd' including the entity controlling above addresses previously secured from the pETH/ETH pool in transaction 0xa84aa065ce61dbb1eb50ab6ae67fc31a9da50dd2cefd561661bfce2f1620c'.

It is worth noting that the malicious actor posted a message seemingly directed at Alchemix and Curve protocols, noting that they were willing to return the funds, not because the people involved could find them, but because they did not want to 'ruin' the projects involved.

I'm refunding you not because you can find me, it's because I don't want to ruin your project, maybe it's a lot of money for a lot of people, but not for me, I'm smarter than all of you.

'S likely that we will see more overlap between CEXs and DEXs in the future, for a better balance of the strengths of each,' he said.

The attacker exploited multiple Curve Finance stable pools using the Vyper programming language on July 30 because of the vulnerability found in Vyper's versions 0.2.15, 0.2.16 and 0.3.0.

The attack saw Alchemix's alETH-ETH lose $13.6 million, JPEG'd's pETH-ETH pool witnessed $11.4 million in funds leave the platform, and Metronome's sETH-ETH pool lost $1.6 million.

In addition, 32 million Curve DAO tokens amounting to approximately $22 million were also drained from the exchange pool, as confirmed by Curve Finance CEO Michael Egorov, who said they didn't make it before the hacker.