Cryptocurrency NewsCurve Finance Hacker Returns Stolen Funds After Receiving $7 Million Bug Bounty

Curve Finance Hacker Returns Stolen Funds After Receiving $7 Million Bug Bounty

After receiving nearly $7 million as a bug bounty reward, the attacker responsible for the Curve finance hack has decided to return the stolen funds. The attack, which occurred on July 30, resulted in the drainage of over $61 million in cryptocurrencies, with Alchemix’s alETH-ETH pool losing $13.6 million.

The hacker also targeted JPEGd’s pETH-ETH pool, causing outflows of $11.4 million, and Metronome’s sETH-ETH pool, resulting in a loss of over $1.6 million. The attack exploited vulnerabilities in the Vyper programming language through reentrancy attacks, specifically targeting stable pools on Curve Finance.

To recover the stolen funds, Curve, Metronome, and Alchemix initiated a joint effort on August 3, offering a 10% bounty as a reward and urging the hacker to return the remaining 90%. This would bring the total bug bounty close to $7 million.

Remarkably, the attacker began returning the stolen funds less than 24 hours after the bounty offer was made. Initially, they sent back 4,820.55 Alchemix ETH (alETH) to the Alchemix Finance team, completing the transaction on August 5.

The attacker left a message, seemingly directed at the Alchemix and Curve teams, stating that they were refunding not because they were afraid of being caught, but because they did not want to “ruin” the projects involved.

In addition to Alchemix, the nonfungible token protocol JPEG’d also received a refund of 5,495 Ether from the hacker. As part of the bounty offer, the protocol has decided not to pursue any legal action against the perpetrators, viewing the incident as a white-hat rescue.


Join us

- Advertisement -