en
Back to the list

Curve Finance vows to reimburse users after $62 million hack

source-logo  cointelegraph.com 12 August 2023 09:21, UTC

Curve Finance, a decentralized finance (DeFi) platform for lending stablecoins, has officially stated its intention to reimburse users who were impacted by the recent breach resulting in a $62 million loss from the system.

According to a post by Curve Finance, ongoing investigations are yielding progress, with approximately 79% of the funds successfully recuperated. The platform further emphasizes its current priority, which revolves around assessing the proportional portions of each impacted user.

This evaluation aims to ensure an equitable distribution of resources. The incident, which occurred on July 30, involved malicious actors exploiting vulnerabilities within the release history of Curve Finance's Vyper compiler.

Quick post-hack update.

While 70% of funds affected by the hack last week are recovered, active investigation with regards to the rest is underway.

In the meantime, we are also working on measuring the respective shares of each affected user with the goal of proper distribution

— Curve Finance (@CurveFinance) August 11, 2023

The individual behind the hack directed their attention specifically toward versions 0.2.15 to 0.3.0 of the Vyper compiler. Evidently, the hacker displayed an understanding of the precise weaknesses within the historical iterations of Vyper. The identification of these vulnerabilities would have demanded a significant degree of skill and substantial resources, as highlighted by experts in the field.

Notably, there are speculations that the undertaking was meticulously planned prior to its enactment. A contributor to Vyper is resolute in their belief that the scheme likely required hackers several weeks, if not months, to formulate. Among the pools that experienced ramifications are CRV/ETH, alETH/ETH, msETH/ETH and pETH/ETH. Furthermore, there is a growing concern that the tri-crypto pool on Arbitrum might also have been subject to this impact.

Related: Aave DAO opens voting on proposals to reduce CRV exposure

Regrettably, the assault reverberated across the entirety of the DeFi landscape. A comprehensive examination of the breach underscored a notable issue within the budding cryptocurrency sector; the absence of proper incentives to identify vulnerabilities in previous software iterations.

An incentive of 10% as a bounty was extended to the individual responsible for the breach, and upon acceptance of the proposition, the perpetrator instigated the procedure to restore the funds a few days later. This course of action was corroborated by Etherscan data, which validated that the individual behind the attack conducted three distinct transactions to the Alchemix Finance developer wallet. The cumulative value of these transfers amounted to 4,821 Ethereum (ETH), equivalent to $8,891,578 at the given time. As of now, the restitution process remains incomplete.

Magazine: Should crypto projects ever negotiate with hackers? Probably

cointelegraph.com