- Ether worth $22 million and all ether derivatives were returned
- Curve offered a reward valued at 10% of remaining exploited funds
- $18 million in stolen assets has yet to be returned
White hat hackers have returned almost three-quarters of the funds Curve Finance lost in an exploit late July 30. The attacker had drained more than $100 million after a “re-entrancy” bug in Vyper, a programming language behind some Curve ecosystem components.
A swift recovery
The relatively speedy recovery has also helped restore some of the CRV token value. CRV lost 30% after the attack. At the time of writing, it was trading for $0.62.
Ether worth $22 million and all ether derivatives that had been stolen were returned this past week. An ethical hacker returned over $6 million from a Curve trading pool and synthetic protocol Metronome. A trading bot returned 90% in ether stolen from JPEGd. Another ethical hacker retrieved $13 million from Alchemix.
Affected platforms offered 10% bounty
After the attack, loan platforms Metronome and Alchemix offered a 10% reward for returning the funds. On August 4, the attacker confirmed the deposit address in a blockchain message and started to return money to Alchemix. Another $18 million or so in stolen assets remain outstanding. The Curve ecosystem had announced the bounty publicly in the evening on August 6.
Curve stated in a blockchain transaction:
The deadline for the voluntary return of funds in the Curve exploit passed at 0800 UTC. We now extend the bounty to the public, and offer a reward valued at 10% of remaining exploited funds (currently $1.85 million) to the person who is able to identify the exploiter in a way that leads to a conviction in the courts. If the exploiter chooses to return the funds in full, we will not pursue this further.
The good news has led to positive expectations not only for Curve, but also for its native token CRV. Curve Finance is considered one of the most impactful ecosystems in DeFi.