Curve Finance Offers $1.85 Million Public Bounty to Find Hacker

A week ago, the decentralized finance (DeFi) platform Curve Finance faced a major exploit with hackers stealing north of $60 million in funds. After a week of failing to meet the deadline to return the funds, Curve Finance has decided to drag the exploiter to court and pursue the case further.

Curve and other protocols impacted by the attack tried to stop the hacker and offered them a reward of 10% of the stolen funds, totaling more than $6 million. The hacker accepted the offer and returned some of the stolen assets to Alchemix and JPEGd.

However, it didn’t complete refunds to other affected pools. Now, since the deadline has passed, Curve Finance is offering a public bounty. Thus, anyone identifying the attacker shall receive rewards with assets worth $1.85 million. In an on-chain message, Curve Finance noted:

“The deadline for the voluntary return of funds in the Curve exploit passed at 0800 UTC. We now extend the bounty to the public, and offer a reward valued at 10% of remaining exploited funds (currently $1.85M USD) to the person who is able to identify the exploited in a way that leads to a conviction in the courts,” adding that “if the exploiter chooses to return the funds in full, we will not pursue this further.”

Curve Finance Stablecoin Restores

After a strong fall last week, it seems that Curve Finance’s native stablecoin crvUSD has restored its dollar peg.

Before returning the stolen funds, the attacker sent a message to the Alchemix and Curve teams, saying that they were doing it not because they were afraid of being caught, but because they didn’t want to harm their projects. “I’m refunding not because you can find me, it’s because I don’t want to ruin your project,” as per the on-chain message by the attacker.

The attack took place on July 30 and resulted in more than $61 million being stolen from Curve’s pools, including large amounts from Alchemix’s, JPEGd’s, and Metronome’s pools. The attacker used a technique called reentrancy attacks on vulnerable versions of the Vyper programming language to target stable pools.