Curve Finance, the decentralized Finance (DeFi) protocol that experienced a devastating hack that siphoned around $61 million in funds, has extended its bug bounty offer of $1.85 million to anyone who can identify the hacker responsible for draining funds from the platform.
Curve Finance’s offer comes after the attacker failed to return all the funds before the deadline.
On Aug. 3, Curve and other protocols impacted by the exploit pooled a bug bounty equivalent to 10% of the total funds drained from the platform, amounting to over $6 million. But since the hacker failed to return all the stolen funds before the deadline, the DeFi opened the bug bounty to the public and offered a reward for anyone who could successfully identify the malicious actor.
“The deadline for the voluntary return of funds in the Curve exploit passed at 0800 UTC,” Curve Finance said in an Ethereum transaction’s input data.
“We now extend the bounty to the public and offer a reward valued at 10% of remaining exploited funds (currently $1.85M USD) to the person who is able to identify the exploiter in a way that leads to a conviction in the courts,” the platform noted before saying that “if the exploiter chooses to return the funds in full, we will not pursue this further.”
Curve Finance’s latest tweet came on the heels of Alchemix’s announcement of the return of all of its stolen funds, which included 4,819 alETH and 2259 ETH worth nearly $13 million.
“We are extremely happy to announce that all funds stolen by the hacker of the Alchemix @CurveFinance pool have now been returned,” the DeFi lender said in a tweet over the weekend.
Non-fungible token (NFT) and DeFi protocol JPEG’d also received roughly $10 million of returned stolen funds from the Curve Finance hacker, consisting of 5,495 Ether.
As payment for the returned funds, which were stolen on July 30, the hacker received a 610.6 ETH ($1.1 million) bounty.
“The JPEG’d DAO confirms receipt of 5,494.4 WETH back to the JPEG’d Multisig for a total of 5,495.4 WETH. A 10% white-hat bounty of 610.6 WETH was awarded to the owner of the address that recovered funds from the pETH exploit,” the DeFi lending protocol tweeted.
“We, the JPEG’d team, based on confidential discussions, formally assert that upon successful return of the funds to the JPEG’d DAO multisig,” will not make any legal action “against the operator of the address 0x6Ec21d1868743a44318c3C259a6d4953F9978538 and 0x9d1ec3375252d4ab3c128f9774be266f67faa0bd” including “the entity controlling above addresses previously secured 6,106 WETH from the pETH/ETH pool in transaction 0xa84aa065ce61dbb1eb50ab6ae67fc31a9da50dd2c74eefd561661bfce2f1620c,” it further said.
“Any further investigations or legal matters against the entity will end,” it said, before adding that the “occurrence” was a “white-hat rescue” and as a result will reward the address “10% of the rescued fund as a white-hat bounty from the JPEG’d team, which translates to 610.6 WETH.”
It is worth noting that the malicious actor posted a message seemingly directed at Alchemix and Curve protocols, noting that they were willing to return the funds not because the people involved could find them, but because they said they did not want to “ruin” the projects involved.
“I’m refunding you not because you can find me, it’s because I don’t want to ruin your project, maybe it’s a lot of money for a lot of people, but not for me, I’m smarter than all of you,” the hacker’s on-chain gloating message read.
Jeff Mei, chief operations officer of the digital asset exchange BTSE, told International Business Times via email that “the recent hack of the Curve protocol has shaken the DeFi community, highlighting the continued vulnerabilities of decentralized platforms.”
“The hack resulted in the loss of up to US$47 million, although some funds were eventually recovered,” the executive said, noting that “multiple liquidity pools were also put at risk.”
Mei, who leads the global expansion and strategic operations of BTSE, explained that the Curve Finance hack “once again exposes the risks associated with smart contracts, and the potential for malicious actors to exploit weaknesses in decentralized systems.”
“While the DeFi space continues to see remarkable growth and innovation, this incident serves as a sobering reminder that the security concerns of decentralized exchanges are far from being resolved. As a result, it’s likely that we will see more overlap between CEXs and DEXs in the future, for a better balance of the strengths of each,” he added.
The malicious actor exploited multiple Curve Finance stable pools using the Vyper programming language on July 30 because of the vulnerability found in Vyper’s versions 0.2.15, 0.2.16 and 0.3.0.
The attack saw Alchemix’s alETH-ETH lose $13.6 million, JPEG’d’s pETH-ETH pool witnessed $11.4 million in funds leave the platform, and Metronome’s sETH-ETH pool lost $1.6 million.
Additionally, 32 million Curve DAO (CRV) tokens amounting to approximately $22 million were also drained from the swap pool because of the exploit, as confirmed by Curve Finance CEO Michael Egorov, who said they “didn’t make it before the hacker.”