Emerging New Trend
Over the past few months, an interesting emerging trend has been observed after an exploit wherein hackers have begun returning ill-gotten funds in exchange for a clean chit from the law and a sizeable bug bounty reward from the project developers.
However, it still does not serve as a foolproof scheme to retrieve the lost funds. In some instances, the hackers oblige, returning some of the hacked funds while in other instances, the negotiation remained unsuccessful.
Recently, the decentralized finance (DeFi) platform Jimbo’s Protocol offered 10% of the exploited funds as a bounty and threatened the hacker with a prosecution. In another incident, Euler Finance announced a $1 million bounty on the hacker who stole almost $200 million from the DeFi platform, earlier this year. There have been a lot of instances when crypto companies and project developers have offered substantial bounties to recover their lost funds.
Bounty To Recover Lost Funds
In the latest development, Sturdy Finance has extended a $100K bounty in an attempt to redeem its exploited $800K. On June 13, Sam Forman, the project’s founder confirmed in a tweet that his team had sent an on-chain message to the unknown attacker’s address, offering the bounty in order to return the stolen funds to a specified address owned by Sturdy.
We've sent the following message to the Sturdy hacker on-chain:
"To the exploiter: as we have seen with recent hacks, exploits are not as easy to escape from as they used to be. That said, we are willing to offer you $100k as a bounty, and will not pursue you further if you send…
— Sam Forman (@pgpsam) June 12, 2023
As per the tweet, Forman has asked the hacker to contact a provided email which belongs to Sturdy Finance, if he is willing to discuss other conditions. In addition, the exec also said that the team will “advocate for no criminal charges” if the funds are returned. Forman tweeted,
“As we have seen with recent hacks, exploits are not as easy to escape from as they used to be. That said, we are willing to offer you $100k as a bounty, and will not pursue you further if you send the remaining funds to 0x4e489d9863c9bAAc6C4917E1221274760BA889F5.”
This comes shortly after Sturdy Finance was hacked on June 12, resulting in a loss of approximately $800K. As per blockchain security firm Peckshield, the hacker exploited a vulnerability that eventually manipulated a faulty price oracle, allowing them to drain funds from the protocol.
However, on further investigation, Peckshield highlighted the root cause of the exploit was primarily due to the defective price oracle to compute the cB-stETH-STABLE asset price. The security firm also confirmed that the attacker was able to transfer almost $800,000 in ETH to the crypto mixer Tornado Cash.
Almost an hour later, the DeFi protocol said that they were aware of the exploit and responded by pausing all their markets and assuring its users that no additional funds were at risk. The team reassured users that no other funds were at risk and that the platform’s security would be thoroughly investigated.
We are aware of the reported exploit of the Sturdy protocol. All markets have been paused; no additional funds are at risk and no user actions are required at this time.
We will be sharing more information as soon as we have it.
— Sturdy 🧱 (@SturdyFinance) June 12, 2023
Hackers Agree To Return Exploited Funds
Several crypto-focused organizations have managed to recover a substantial amount of lost finds through bounty programs in the past few months. In April alone, there were at least three incidents of hackers returning exploited funds in the decentralized finance (DeFi) space. On April 4, the Euler Finance team was able to recover $176.4 million after offering the hacker 10% of the stolen funds.
Following successful negotiations, all of the recoverable funds taken from the Euler protocol on March 13th have now been successfully returned by the exploiter.
— Euler Labs 🇬🇧 (@eulerfinance) April 3, 2023
Similarly, lending protocol Sentiment was able to recover almost $1 million in stolen funds after negotiating with its hacker. More recently, the attacker who was able to take $8.9 million from DeFi protocol SafeMoon agreed to return 80% of the funds.
After successful negotiations with the exploiter, 90% of hacked funds have been returned as agreed. A full statement will follow in the coming hours.
— Sentiment (@sentimentxyz) April 6, 2023
It seems the prospect of making a good chunk of money without having authorities track them down is a good prospect for hackers. Also, as enforcement agencies beef up their act, hackers may be forced to return ill-gotten funds for fear of being identified and arrested.