Just-In: Curve Finance Says it Will Refund Affected Users in Post-Hack Update

Based on a recent update, Decentralized Finance (DeFi) stablecoin lending platform Curve Finance has confirmed plans to refund affected users in the recent hack which led to the loss of $62 million from the protocol. 

According to Curve Finance, investigations are still ongoing but so far about 79% of the funds have been recovered. Adding that in the meantime, it is focused on “working on measuring the respective shares of each affected user with the goal of proper distribution.”

Quick post-hack update.

While 70% of funds affected by the hack last week are recovered, active investigation with regards to the rest is underway.

In the meantime, we are also working on measuring the respective shares of each affected user with the goal of proper distribution

— Curve Finance (@CurveFinance) August 11, 2023

The Melodramatic Curve Finance Hack

The crypto lender was hacked on July 30 by bad actors who took advantage of certain vulnerabilities in the release history of its Vyper compiler. 

Precisely, the perpetrator of the hack focused on versions 0.2.15 to 0.3.0 of the Vyper compiler. It seemed like the hacker knew exactly where the flaws were on Vyper’s past releases. Spotting such vulnerabilities could have only taken a high level of expertise and resources as experts pointed out.

Notably, there have been speculations that the operation was well thought-out before execution. One contributor to Vyper is confident that the plan took the hackers some weeks, if not months to come up with. Some of the impacted pools are CRV/ETH, alETH/ETH, msETH/ETH, and pETH/ETH. It is also believed that the tri-crypto pool on Arbitrum might also be affected. 

Sadly, the attack sent shockwaves through the entire DeFi ecosystem. A broad look at the exploit demonstrated the lack of incentivization for uncovering bugs in past software releases as a challenge for the nascent crypto industry. 

Hacker Takes Bounty and Initiates Partial Refund

A 10% bounty reward was promised to the hacker who accepted the offer. A few days later, the hacker behind the attack initiated the process of returning the funds. 

Etherscan data confirmed that the hacker had performed three separate transactions to the Alchemix Finance developer wallet, transferring a total of 4,821 Ethereum (ETH) worth $8,891,578 at the time. Till now, the hacker has not completed the refund.

The hacker’s choice to return the funds to Alchemix Finance instead of directly to Curve Finance is perceived as a level of discretion or a strategic decision to prevent him from being caught.