The Curve decentralised finance (DeFi) protocol, which recently fell victim to an exploit on various pools following a flaw discovered in the Vyper language, is offering a $1.85 million bounty to reveal the identity of the attacker. This announcement comes after the attacker returned some of the stolen funds to other protocols, including Alchemix and JPEG’d.
Curve puts bounty on attacker’s head
The decentralised finance protocol (DeFi) Curve, which recently suffered an exploit following a flaw contained in the Vyper language, has just announced that a bounty of $1.85 million has now been placed on the identity of its attacker.
As we reported a few days ago, the attacker has reimbursed Alchemix, indicating that he was not interested in the 10% reward promised by the protocol, but rather in not ruining it. He has since returned the stolen cryptocurrencies to the JPEG’d protocol in full.
However, the attacker has not yet returned the funds to Curve, which was siphoned off $14 million from the CRV-ETH liquidity pool.
Funds hosted in attacker’s wallet
As a result, and as Curve had previously announced, the hacker’s identity is now at stake:
The deadline for the CRV/ETH exploit passeshttps://t.co/VphQ0bfYr2 pic.twitter.com/x8LP9Tx4rs
– Curve Finance (@CurveFinance) August 6, 2023
Via an on-chain message, Curve has warned the attacker that the case will end up in court if he doesn’t return the funds himself:
“The deadline for the voluntary return of funds in the Curve exploit has passed at 08:00 UTC. We are now extending the bounty to the public and offering a reward worth 10% of the remaining exploited funds (currently US$1.85 million) to the person who is able to identify the exploiter in a way that will lead to a conviction by the courts. “
A major DeFi protocol severely injured
On 30 July, several Curve pools were attacked following the discovery of a 0-day vulnerability in several older versions of Vyper, causing chaos in the world of decentralised finance. Indeed, Curve is an absolutely major player in DeFi, and such an attack is not without consequences, although the damage was fortunately mitigated.
The main danger concerned the positions held by Michael Egorov, Curve’s CEO, in various protocols. In particular, a position of more than $100 million in Aave V2, which threatened to be liquidated if the CRV price fell below $0.39.
Fortunately, Michael Egorov was able to sell CRV tokens over the counter to provide liquidity for his various loans and keep them afloat. With the CRV now hovering around $0.6, we can consider these positions to be healthy. For example, Aave’s largest position has a health rate of 2.18 at the time of writing.
Curve’s Total Locked Value (TVL) was also affected by the attack, although it has since recovered slightly :
TVL on Curve protocol
According to the latest data, 73% of the stolen funds ($52.3 million) have been returned. It remains to be seen whether the attacker will decide to return the remaining funds in order to collect his bounty and avoid prosecution, or whether he will decide to remain silent.
