- Curve Finance has placed a $1.9 million bounty on one of the exploiters who attacked the protocol on July 30.
- The protocol placed the bounty after the hacker failed to return stolen funds by a Sunday deadline.
- Separate hackers who exploited the alETH and pETH Curve trading pools retuned funds before the deadline.
Curve called on the public to identify one of the culprits behind last week’s exploit after the hacker failed to return stolen funds by a Sunday deadline.
The DeFi protocol put out an ultimatum to hackers on August 3: return all stolen funds (sans a 10% whitehat bounty) by 8am London time on August 6, or the protocol would put out a nearly $1.9 million bounty, claimable by anyone who “is able to identify the exploiter in a way that leads to a conviction in the courts.”
“If the exploiter chooses to return the funds in full, we will not pursue this further,” the message, sent out via an on-chain message, read.
Hackers who separately exploited the Alchemix alETH-ETH and JPEG’d pETH-ETH pools returned funds earlier this week. However, the hacker who drained the CRV-ETH pool for 32 million CRV tokens, worth around $18 million at the time of the hack, did not.
The hope is that now the public bounty against the CRV-ETH pool exploiter is active, crypto sleuths, or entities with knowledge of the hacker’s identity, will be motivated to come forward with information.
The deadline for the CRV/ETH exploiter passeshttps://t.co/VphQ0bfYr2 pic.twitter.com/x8LP9Tx4rs
— Curve Finance (@CurveFinance) August 6, 2023
Several of Curve’s liquidity pools were drained by hackers on July 30. After an initial exploit to the pETH-ETH pool, word of the vulnerability spread, leading to several seemingly unconnected hackers exploiting various Curve trading pools in the hours that followed.
In total, hackers drained over $61 million worth of crypto from Curve.
Shortly after the exploits, developers determined that the attacks were possible due to a vulnerability in Vyper, the programming language used to develop Curve’s liquidity pools.
NOW READ: How hackers turn stolen crypto into cash
Vyper developers published a postmortem of the exploits on August 6, identifying several older versions of the programming language that are also vulnerable. They also proposed new measures to prevent similar exploits in the future.
Hackers accept bounty
Curve’s ultimatum asking the exploiters to return funds in exchange for 10% of the stolen funds and the promise that they will not pursue legal action was mostly effective, despite the CRV-ETH pool hacker’s holdout.
On August 4, JPEG’d reported that the hacker who exploited the pETH-ETH pool returned 5,494 wrapped Ether, worth approximately $10 million, fulfilling the conditions of the ultimatum.
Then a day later on August 5, Alchemix tweeted that the hacker who had exploited the alETH-ETH pool also returned $22 million worth of stolen funds.
NOW READ: Indexed Finance hacker now says he’s a whitehat
Rather than walking away with the 10% bounty, the Alchemix exploiter proceeded to taunt both Alchemix, and crypto sleuths attempting to uncover their identity.
“I saw some ridiculous views,” they wrote in an on-chain message, “so [I] want to clarify that I’m refunding you not because you can find me, but because I don’t want to ruin your project, maybe it’s a lot of money for a lot of people but not for me, I’m smarter than all of you.”
However, their attitude was short-lived. In another message on August 5, the exploiter wrote, “History is written by the victors, I make huge mistake, so you are smarter than me, great job!”
CRV loans still at risk
The return of funds stolen from the JPEG’d and Alchemix pools comes as a relief to the protocols, and the users who lost money. But it has done little to assuage the fears of DeFi lending protocols tied up in loans to Curve founder Michael Egorov.
Egorov’s biggest loan used $220 million worth of Curve tokens — which represents 30% of the entire Curve supply — to borrow $65 million from lending protocol Aave. Egorov also has smaller CRV-backed loans at Fraxlend, Abracadabra, and Inverse Finance.
These loans have become risky because CRV liquidity has declined. This shrinking liquidity was exacerbated by the $18 million worth of CRV stolen from the CRV-ETH pool. With thin CRV liquidity across DeFi, if the CRV-ETH pool exploiter attempts to sell their stolen CRV, it would likely crash the token’s price and could force Egorov’s loans into liquidation.
If the loans are liquidated in one protocol, it could spread panic and lead to a cascade of liquidations at the others — potentially leaving one of them holding the bulk of the bad debt and being forced to use its own funds to pay it off.
Egorov recently sold $46 million worth of CRV in over-the-counter deals to various parties including Tron founder Justin Sun, liquidity provider Wintermute, and digital asset market maker DWF Labs.
DL News previously asked Egorov if the deals had helped him stabilise his loans for the foreseeable future.
“I think so,” he replied.
A previous version of this article incorrectly stated that all the July 30 Curve Finance exploits were conducted by a single entity. It has been corrected to make clear that separate entities exploited the alETH-ETH, pETH-ETH, and CRV-ETH trading pools respectively.
Disclaimer: The two co-founders of DL News were previously core contributors to the Curve protocol.
Do you have a tip about the Curve exploits or another story, please contact me at ty@dlnews.com.