Curve Finance has opened a public bounty to retrieve outstanding stolen funds. There is still $18.5 million yet to be recovered from the July 30 exploit, which pilfered $61 million from various Curve pools.
Curve is seeking community assistance in identifying the hacker responsible. It has offered a 10% reward, worth $1.85 million, to the person that helps provide information that leads to prosecution.
Curve Finance Hack Prompts Ramped Up Investigation
On Aug. 6, Curve Finance announced that the window for the hacker to return 90% of the funds, and keep 10% without any repercussions, has passed.
The exploiter had until 08:00 UTC to adhere to the conditions. However, Curve Finance has now offered the public 10% for information which leads to convicting the hacker. Curve now demands a full 100% return of funds if the exploiter wishes to end the investigation. Any amount less will not prevent legal action from being taken.
Learn more about DeFi rug pulls in our explainer guide: What Is a Rug Pull? A Guide to the Web3 Scam
Self-repaying loan platform Alchemix and NFT-staking platform JPEG’d reported on Aug. 5 that both had received most of their stolen funds back. However, it still has yet to recover $18.5 million from other Curve Finance pools.
The total value locked (TVL) on several of Curve Finance’s protocols was severely impacted by the July 30 exploit.
On Aug. 6, Curve extended that 10% bounty to the wider public. It stated that if anyone can help identify the exploiter with enough information to lead to prosecution, they will receive the reward.
Curve Finance took to the X platform to deliver the statement:
“The deadline for the voluntary return of funds in the Curve exploit passed at 0800 UTC. We now extend the bounty to the public, and offer a reward valued at 10% of remaining exploited funds (currently $1.85M USD) to the person who is able to identify the exploiter in a way that leads to a conviction in the courts”
“If the exploiter chooses to return the funds in full, we will not pursue this further,” it added.
Mixed Response From the Public
The initial warning stated that if the hacker did not voluntarily return the funds by Aug. 6, the bounty would be opened to the public.
“If you choose not to participate in the voluntary return and complete the process by Aug. 6, we will expand the bounty to the public and offer the full 10% to the person who can identify you in a way that leads to your conviction in the courts.”
“We will pursue you from all angles with the full extent of the law,” it added.
Various X users expressed a mixed response over how Curve Finance got into this position in the first place.
“This is the fault of blockchains not having governance and Defense in depth built directly into the blockchain protocol level,” one X user stated.
Another user queried, “What if it leads to a conviction, but funds aren’t recovered? Is bounty still good? Don’t have any info, and hope you find the perp, but worth clarification to avoid potential conflict down the road,” the user asked.
Curve Opens $1.85M Hack Bounty to Public After Deadline Passes