en
Back to the list

Curve Recoups 73% of Hacked Funds, Bolstering CRV Sentiment

source-logo  coindesk.com 07 August 2023 08:44, UTC

Whitehats hackers and attackers have returned over 73% of all funds stolen from Curve Finance after its early August exploit.

The relatively swift recovery has bolstered sentiment for CRV tokens, which have pared most of the losses from a 30% drop following the attack.

Curve Finance has recouped some 73% of funds stolen during a hack, which saw the platform lose over $73 million worth of various tokens, causing contagion effects in the broader ecosystem.

Over the past week, all $22 million in ether (ETH) and ether derivatives stolen from lending protocol AlchemixFi were returned. A trading bot returned 90% in ether stolen from JPEGd, ethical hacker “c0ffeebabe.eth” returned over $6 million from synthetic protocol Metronome and a Curve trading pool, while another ethical hacker returned $13 million from Alchemix.

Curve, which lets users cheaply swap stablecoins on its platform, was hit by a reentrancy attack that allowed attackers to steal tokens from Curve, and lending and borrowing platforms Metronome and Alchemix. These affected protocols have since offered a 10% bounty for returning the assets by August 6, as reported.

Reentrancy is a common bug that allows attackers to trick a smart contract by making repeated calls, or software commands, to a protocol in order to steal assets. The attack was traced to faulty code on Vyper, a programming language used to power parts of the Curve system.

Shortly following the attacks, Curve offered a 10% bounty to attackers for the return of the funds. On Friday, the attacker started to return funds to Alchemix after confirming the deposit address in a blockchain message.

Over $18 million in stolen funds are still remaining, with Curve opening up the bounty to the public on Sunday night.

“The deadline for the voluntary return of funds in the Curve exploit passed at 0800 UTC,” Curve Finance said in a blockchain transaction. “We now extend the bounty to the public, and offer a reward valued at 10% of remaining exploited funds (currently $1.85M) to the person who is able to identify the exploiter in a way that leads to a conviction in the courts.”

“If the exploiter chooses to return the funds in full, we will not pursue this further,” the protocol added.

The return of funds has buoyed sentiment for Curve – which is often referred to as one of the most influential platforms in the DeFi ecosystem – and its governance tokens CRV.

CRV lost almost 30% of value, from 72 cents to as low as 50 cents, in the days following the exploit and has since pared losses amid positive developments, trading at 61 cents as of Monday morning.

coindesk.com