- DeFi’s Curve Finance restores confidence by retrieving 73% of stolen funds, totaling $73 million.
- “Ethical hackers and a sharp bot assist in recovering $22M from AlchemixFi.”
- Vyper flaw hits Curve, Metronome, and Alchemix and $18M is unrecovered. Curve Finance offers public rewards for recovery.
Curve Finance, a prominent decentralized finance (DeFi) platform, has significantly recovered 73% of the funds stolen during a hack that resulted in the loss of over $73 million worth of various tokens, causing ripple effects across the broader ecosystem.
PeckShieldAlert, the cybersecurity firm specializing in cryptocurrencies, has made notable progress in identifying the perpetrator behind the significant DeFi attack. In the past week’s unexpected events, funds stolen from various sources have steadily returned. Specifically, $22 million in ether (ETH) and ether derivatives, stolen initially from the AlchemixFi lending platform, has been completely restored. A shrewd trading bot was pivotal in recovering 90% of the stolen ether from JPEGd.
#PeckShieldAlert A total of ~$73.5M worth of cryptos on #Ethereum were stolen in the #Curve Reentrancy exploit. So far, ~73% of them (~$52.3M) have been returned.
— PeckShieldAlert (@PeckShieldAlert) August 7, 2023
The remaining ~$19.7M worth of cryptos on #Ethereum have not yet been returned by the 1st Curve CRV-ETH exploiter… pic.twitter.com/hU4v1UATeh
Furthermore, an ethical hacker, who goes by the alias “c0ffeebabe.eth,” reportedly orchestrated the retrieval of over $6 million from the synthetic Metronome protocol and a trading pool within the Curve platform. Another ethical hacker successfully managed to reinstate $13 million from Alchemix.
The alarming incident stemmed from a reentrancy attack that targeted Curve and the lending and borrowing platforms Metronome and Alchemix. Exploiting a vulnerability in the system, attackers managed to siphon off tokens, throwing these platforms into chaos. The affected protocols had collectively offered a 10% reward for their return by August 6 to recover the assets.
The attack was traced back to a flaw in the Vyper programming language, which underpins critical elements of the Curve system. Reentrancy, a well-known bug, facilitated the attackers in executing repeated calls to the smart contract, enabling them to acquire assets illicitly.
Following the breach, Curve Finance initiated a 10% incentive program for the attackers to relinquish the stolen assets. Friday witnessed a breakthrough when the attacker began to return the funds to Alchemix, confirming the deposit address via a blockchain message.
Although substantial progress has been made, more than $18 million worth of stolen funds remain unrecovered. As of Sunday night, Curve has widened the scope of its bounty, extending the offer to the public in a determined effort to retrieve the remaining assets. The platform declared that the deadline for “the voluntary return of funds in the Curve exploit passed at 0800 UTC”, adding,
We now extend the bounty to the public, and offer a reward valued at 10% of remaining exploited funds (currently $1.85M) to the person who is able to identify the exploiter in a way that leads to a conviction in the courts.
Curve Finance expressed optimism following the recovery of the funds, which has improved sentiment around the platform and its governance tokens CRV. As one of the most influential platforms in the DeFi ecosystem, the resolution of this hack showcases the resilience and commitment of the community to safeguard the integrity of the decentralized finance space.