- The $73 million DeFi hack took place on July 30 across several Curve Finance pools.
- The hacker only returned stolen money to a few pools. $19 million in assets has still not been recovered.
The DeFi protocol Curve Finance has offered a $1.85 million bounty to anyone who can identify the exploiter responsible for the recent backlash attack.
The crypto hack took place on July 30, resulting in the theft of over $73 million worth of crypto assets from Curve’s various pools. Affected pools include Alchemix, JPEGd, and Metronome.
#PeckShieldAlert A total of ~$73.5 million in cryptos #Ethereum were stolen in the #Curve Exploitation of re-entry. So far, ~73% of them (~$52.3 million) have been returned. The remaining ~$19.7 million in cryptos at #Ethereum have not yet been returned by the 1st Curve CRV-ETH operator…
— Leviathan News (@leviathan_news) August 7, 2023
Reentry is a common bug that allows hackers to trick a smart contract into stealing assets through repeated calls or software commands by repeatedly calling a protocol. The attack was found to be caused by a faulty Vyper code. The code forms the basis of various parts of the Curve Finance system.
The affected protocols, including Curve Finance, offered the hacker a 10% bug bounty for the first time on August 3. Although the hacker accepted the offer, they only returned the stolen money to Alchemix and JPEGed.
The JPEG’d DAO acknowledges receipt of 5,494.4 WETH back to the JPEG’d Multisig for a total of 5,495.4 WETH. A 10% white-hat bounty of 610.6 WETH was awarded to the owner of the address who recovered funds from the pETH exploit.https://t.co/nIBwHHxfQU
— JPEG (@JPEGd_69) August 4, 2023
There is still over $19 million in stolen money left.
Curve Finance announced on August 6 that the deadline for the hacker to return all funds has passed. It then announced a premium of 10% of unrecovered funds, $1.85 million. The protocol also said it will take the case to court for sentencing.
The deadline for the CRV/ETH exploiter is passinghttps://t.co/VphQ0bfYr2 pic.twitter.com/x8LP9Tx4rs
— Curve Finance (@CurveFinance) August 6, 2023
How the DeFi space is handling the attack
In the wake of the Curve Finance exploit, the DeFi vertical of the crypto ecosystem has experienced a 7% drop in total value locked (TVL). DeFi TVL held across multiple chains amounted to approximately $41 billion, according to DefiLlama.
Source: DefiLlama
DeFi’s lending protocol, AAVE, suffered a drop of nearly 7% within a week. This was due to the significant exposure of the protocol caused by the loans of Curve Finance founder Michael Egorov on his platform.
Source: DefiLlama
Egorov had loans against the project’s own CRV tokens from several DeFi lenders. It later emerged that Ergorov had made several over-the-counter deals worth $42.4 million with several notable crypto influencers.