Curve Finance, an Ethereum decentralized finance (DeFi) protocol that recently suffered a devastating $61 million hack, has announced a massive $1.85 million bounty to identify the exploiter in a way that could lead to a conviction as the deadline for the exploiter to return the stolen funds expires.
On Sunday, August 6, Curve Finance shared an on-chain message announcing the bounty offering 10% of the remaining funds as a reward, amounting to $1.85 million. The developer also said they would not pursue the case if the exploiter returned the funds in full.
The deadline for the CRV/ETH exploiter passeshttps://t.co/VphQ0bfYr2 pic.twitter.com/x8LP9Tx4rs
— Curve Finance (@CurveFinance) August 6, 2023
The message reads:
āThe deadline for the voluntary return of funds in the Curve exploit passed at 0800 UTC. We now extend the bounty to the public and offer a reward valued at 10% of the remaining exploited funds (currently $1.85M USD) to the person who is able to identify the exploited in a way that leads to a conviction in the courts. If the exploiter chooses to return the funds in full, we will not pursue this further.ā
Catch Me If You Can: Says The Exploiter to Curve Finance
As Crypto Economy reported, an exploiter ambushed vulnerable versions of the Vyper programming language on July 30 to execute reentrancy attacks on Curve Financeās stable pools. The exploit affected the Alchemix Finance alETH-ETH, JPEGād pETH-ETH, and Metronome sETH-ETH pools. Subsequent investigation found out that the exploiter(s) was able to bag $61 million from the hack.
On August 3, Curve Finance and other affected protocols offered the hacker a 10% bug bounty of over $6 million. On August 4, the exploiter returned more than $12 million to the Alchemix Finance team. On Sunday, Alchemix said that all the funds stolen from the Alchemix pool had been returned.
We are extremely happy to announce that all funds stolen by the hacker of the Alchemix @CurveFinance pool have now been returned.
Full post mortem coming.
— Alchemix (@AlchemixFi) August 5, 2023
The exploiter also posted an on-chain message on Ethereum directed at Alchemix and Curve Finance, effectively saying, catch me if you can. The message reads:
āI saw some ridiculous views, so I want to clarify that Iām refunding you not because you can find me, itās because I donāt want to ruin your project, maybe itās a lot of money for a lot of people, but not for me, Iām smarter than all of you.ā
The Miner Executable Value (MEV) bot that front ran the attack on JPEGād pool and sent the funds to the bot instead of the exploiter has also reportedly returned the funds.