Curve Finance fell victim to a reentrancy bug exploit in late July. The incident not only rattled the DeFi community but also exposed the platform to significant risks.
Curve Finance, a prominent player in the Decentralized Finance (DeFi) landscape, has launched a groundbreaking bug bounty program. The move comes in response to an unsettling exploit that targeted the protocol, exposing vulnerabilities and raising concerns within the community over the past week.
As the original deadline set for the exploiter(s) to return the stolen funds elapsed, Curve Finance is shifting its focus toward collective security efforts, engaging the broader community in safeguarding the ecosystem.
In an on-chain message, Curve Finance declared:
“The deadline for the voluntary return of funds in the Curve exploits passed at 0800 UTC. We now extend the bounty to the public, and offer a reward valued at 10% of the remaining exploited funds (currently $1.85M USD) to the person who is able to identify the exploiter in a way that leads to a conviction in the courts.”
The message also emphasized that should the exploiter choose to return the funds in full, the pursuit of this avenue would cease.
Recall that on Aug 3rd, Curve Finance and other impacted protocols affected by a breach presented an offer to the hacker responsible for the exploit. The proposition was clear: return the stolen assets, and in return, receive a substantial 10% bounty, a gesture that could potentially yield more than $6 million.
The move was seen as a pragmatic attempt to recover lost funds while highlighting the industry’s commitment to responsible and ethical behavior. In an encouraging twist, the hacker accepted the offer and promptly returned the stolen assets to Alchemix and JPEGd.
The hacker, although returning assets to certain protocols, did not fully complete refunds to the remaining affected pools. Following the expiration of the deadline, Curve Finance, in a display of resilience has announced a new phase in its bug bounty approach.
Curve Finance Exploit: How It Unfolded
Curve Finance fell victim to a reentrancy bug exploit in late July. The incident, propelled by a vulnerability in its Vyper programming language, not only rattled the DeFi community but also exposed the platform to significant risks, putting over $100 million worth of crypto assets in jeopardy.
The exploit targeted several stablecoin pools on Curve Finance’s platform. The affected pools including alETH, msETH, and pETH serve as essential components for pricing and liquidity across various DeFi services. The ripple effect of this vulnerability extended beyond Curve Finance itself, potentially impacting a wide range of interconnected DeFi projects.
Following the attack, Upbit, a prominent crypto exchange, promptly noted a surge in volatility surrounding the Curve Finance (CRV) token. The price of CRV plummeted by 12.36% on July 30, sending shockwaves through the DeFi community and sparking a series of apprehensions within the market. Accordingly, the token’s value crashed to $0.6.
Furthermore, a potentially cascading impact threatened to unfold as the price drop threatened to trigger a liquidation event involving the founder of Curve Finance’s substantial $70 million borrowing position on Aave, another significant DeFi lending platform.