Curve Finance, an Ethereum decentralized finance (DeFi) protocol that recently suffered a devastating $61 million hack, has announced a massive $1.85 million bounty to identify the exploiter in a way that could lead to a conviction as the deadline for the exploiter to return the stolen funds expires.
On Sunday, August 6, Curve Finance shared an on-chain message announcing the bounty offering 10% of the remaining funds as a reward, amounting to $1.85 million. The developer also said they would not pursue the case if the exploiter returned the funds in full.
— Curve Finance (@CurveFinance) August 6, 2023
The message reads:
“The deadline for the voluntary return of funds in the Curve exploit passed at 0800 UTC. We now extend the bounty to the public and offer a reward valued at 10% of the remaining exploited funds (currently $1.85M USD) to the person who is able to identify the exploited in a way that leads to a conviction in the courts. If the exploiter chooses to return the funds in full, we will not pursue this further.”
Catch Me If You Can: Says The Exploiter to Curve Finance
As Crypto Economy reported, an exploiter ambushed vulnerable versions of the Vyper programming language on July 30 to execute reentrancy attacks on Curve Finance’s stable pools. The exploit affected the Alchemix Finance alETH-ETH, JPEG’d pETH-ETH, and Metronome sETH-ETH pools. Subsequent investigation found out that the exploiter(s) was able to bag $61 million from the hack.
On August 3, Curve Finance and other affected protocols offered the hacker a 10% bug bounty of over $6 million. On August 4, the exploiter returned more than $12 million to the Alchemix Finance team. On Sunday, Alchemix said that all the funds stolen from the Alchemix pool had been returned.
We are extremely happy to announce that all funds stolen by the hacker of the Alchemix @CurveFinance pool have now been returned.
Full post mortem coming.
— Alchemix (@AlchemixFi) August 5, 2023
The exploiter also posted an on-chain message on Ethereum directed at Alchemix and Curve Finance, effectively saying, catch me if you can. The message reads:
“I saw some ridiculous views, so I want to clarify that I’m refunding you not because you can find me, it’s because I don’t want to ruin your project, maybe it’s a lot of money for a lot of people, but not for me, I’m smarter than all of you.”
The Miner Executable Value (MEV) bot that front ran the attack on JPEG’d pool and sent the funds to the bot instead of the exploiter has also reportedly returned the funds.