Curve Finance Offers Public Bounty of $1.85 Million to Identify Hacker
Curve Finance, the troubled DeFi platform that lost over $60 million last week in an exploit, has announced a bounty of $1.85 million to anyone who can identify the exploiter.
In a Tweet Monday, the DeFi protocol noted that the deadline for the “voluntary return of funds” in the Curve Finance heist has already passed.
“We now extend the bounty to the public, and offer a reward valued at 10% of remaining exploited funds (currently $1.85M) to the person who is able to identify the exploiter in a way that leads to a conviction in the courts.”
The deadline for the CRV/ETH exploiter passeshttps://t.co/VphQ0bfYr2 pic.twitter.com/x8LP9Tx4rs
— Curve Finance (@CurveFinance) August 6, 2023
The on-chain message further read, “if the exploiter chooses to return the funds in full, we will not pursue this further.”
Following the heist, Curve offered the anonymous hacker 10% of the stolen funds for returning the entire assets by August 6. Other impacted protocols, including lending protocol Alchemix and NFT lending protocol JPEGd, joined Curve in this offer.
The DeFi projects have assured as an incentive that they will not pursue any further actions or legal convictions, provided the exploiter(s) voluntarily return the stolen funds.
“I am Smarter Than All of You” – Curve Hacker
On the same day as Curve announced a bounty to the hacker, the exploiter returned stolen crypto to projects Alchemix and JPEGd after receiving a 10% bug bounty.
The hacker returned some of the stolen funds, confirming the deposit address in a blockchain message. According to a Tweet by PeckShieldAlert, approximately $52.3 million, or 73% of the stolen funds, have been returned by various parties.
We are extremely happy to announce that all funds stolen by the hacker of the Alchemix @CurveFinance pool have now been returned.
— Alchemix (@AlchemixFi) August 5, 2023
Full post mortem coming.
The JPEG'd DAO confirms receipt of 5,494.4 WETH back to the JPEG'd Multisig for a total of 5,495.4 WETH. A 10% white-hat bounty of 610.6 WETH was awarded to the owner of the address that recovered funds from the pETH exploit.https://t.co/nIBwHHxfQU
— JPEG'd (@JPEGd_69) August 4, 2023
The hacker sent a message before returning the funds to the Alchemix and Curve teams, saying that the return of funds is not because the hackers are afraid of being caught but because they didn’t want to affect the projects.
“I want to clarify that I’m refunding you not because you can find me, it’s because I don’t want to ruin your project. Maybe it’s a lot of money for a lot of people, but not for me, I’m smarter than all of you.”
However, the exploiter didn’t complete the refunds to Curve Finance, passing the deadline and prompting the protocol to open the bounty to the public. Curve has announced that the perpetrator, once caught, would face definitive legal repercussions.
The hacker responsible for the breach apparently used a technique called reentrancy attacks on vulnerable versions of the Vyper programming language to target DeFi protocols.
