Curve Finance managed to retrieve 73% (~$52.3M) of the funds stolen from its platform. The platform had initially lost ~$73.5M worth of cryptos on Ethereum through a Reentrancy exploit. Exploiters responsible for the theft has yet to return the remaining ~$19.7M on which Curve and other DeFi platforms have placed a 10% bounty worth over $1.8M.
Curve Finance and Metronome, and Alchemix sent the hacker responsible for the theft an on-chain message .
The on-chain message offered the hacker a 10% bounty on the amount stolen while giving them a deadline of August 6th.
“You will have no risk of us pursuing this further, no risk of law enforcement issues, etc,” read the message .
The message also included a warning that if the hacker chooses not to return the stolen funds voluntarily before the deadline “We will pursue you from all angles with the full extent of the law.”
The exploiter opted not to return the stolen funds by the Curve Finance and Co deadline. The victims responded by issuing the 10% bounty to the public, stating that “We now extend the bounty to the public, and offer a reward valued at 10% of remaining exploited funds (currently $1.85M USD) to the person who can identify the exploiter in a way that leads to a conviction in the courts.”
However, the exploiter still has one last chance to voluntarily return the funds, as Curve and Co stated, “If the exploiter chooses to return the funds in full, we will not pursue this further.”
Vyper is a smart contract language for the Ethereum (ETH) virtual machine (EVM). On July 30th, when Curve was exploited, Vyper reported the issue that allowed such an exploit, saying, “The investigation is ongoing, but any project relying on these versions should immediately reach out to us.”
The vulnerability was confirmed when Curve tweeted that “A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock.”
In layman’s terms, the exploiter managed to steal the money through Vyper contracts by repeatedly using the withdraw function before it refreshes its balance.
Bounty hunters may have access to $1.8 million should they provide credible information regarding the exploiter that may lead to their legal conviction.
The exploiter has one last chance to turn in the stolen tokens. If they do, they may walk away scot-free. But, since they passed their August 6th deadline, they may not receive the 10% bounty upon refunding the tokens.