Home / News / Crypto / News / Curve Negotiates With Hacker Allowing Them to Take Money and Run
6 min read

Curve Negotiates With Hacker Allowing Them to Take Money and Run

Published August 4, 2023 11:39 AM
Teuta Franjkovic
Published August 4, 2023 11:39 AM
Key Takeaways
  • Alchemix Finance, Curve Finance, and MetronomeDAO sent a subtly worded negotiation to hackers.
  • The DeFi trio offered a “10% bounty of any stolen funds” from the exploiters in exchange for restoring the remaining assets.
  • They gave the deadline of August 6

On August 3, Curve Finance and two other DeFi platforms provided a bounty for the hacker to return the money that had been taken in several recent incidents.

Alchemix, Curve, and Metronome wrote :

“We as a group … would like to discuss a bounty with any parties who were involved in the recent Curve exploits. We are offering a 10% bounty of any funds stolen, which are yours to keep if you return the remaining 90%.”

The three projects stated that they would not pursue the matter further or contact law authorities if the perpetrator(s) returned the stolen monies.

But if the attackers don’t come forward willingly by August 6, they said, a 10% reward will be given to anyone who can identify the perpetrators in a way that results in their being found guilty in court. In a statement, the three DeFi platforms vowed to “pursue [the attacker] from all angles [within] the full extent of the law.”

The same-asset lending platform Alchemix, the synthetic asset protocol Metronome, and the decentralized exchange Curve all signed the statement.

On August 3, Curve Finance tweeted , “Dear hacker, you’ve got an incoming message.” The entire message has been encoded in an associated Ethereum (ETH) transaction that appears on the blockchain.

The Attacks Go Beyond Curve

On July 30, Curve Finance was first breached, and between $60 and $70 million were taken from the system. Vyper smart contracts have a weakness that enabled the attack and further attacks elsewhere.

Hackers stole $22.6 million from Alchemix’s alETH pools and $3.4 million from Metronome’s msETH pools.

As a result, Curve’s most recent announcement included a reference to a similar bounty for the Alchemix hacker. Despite the fact that Metronome signed the message, there was no link to any bounty that had been promised to the Metronome hacker.

Total Locked Value (TVL) in DeFi platforms has decreased due to the latest hacks’ extensive reach. On August 2, CryptoSlate discovered that more over $3 billion had been removed from DeFi services by investors and liquidity providers.

Curve Finance Impacted By Vyper Vulnerability.

Vyper, a smart contract language for the Ethereum (ETH) virtual machine (EVM), was found to have various versions of a problematic “reentrancy locks vulnerability” on July 30. The programming language acknowledged the incident and warned that Vyper 0.2.15, 0.2.16, and 0.3.0-based crypto projects may be affected.

Following the report, Curve Finance said that a few of its stable pools using Vyper 0.2.15 have taken advantage of the flaw in the reentrancy lock.

An attacker can drain funds from a vulnerable contract by repeatedly using the withdraw function before it refreshes its balance. Many DeFi protocols have been commonly exploited using this approach.

A blockchain security company BlockSec warned  that any pools using wrapped Ether (WETH) could be at risk from the reentrancy attack.

Although the exact amount taken from Curve Finance’s stablecoin pools is unknown, some estimates  put the figure as high as $70 million.

However, a MetaMask developer, Taylor Monahan reported  “lots of whitehat activity + automated MEV bots,” indicating that the quantity may be lower.

CRV Price Plummets

According to data from CoinMarketCap , the vulnerability has made Curve’s CRV token extremely volatile, with its price dropping by over 15% when the hack happened and at the time of writing stood at $0.575, falling further by 0.74%.

Liquidity dried off after the attack on the CRV/ETH pool, and CRV’s on-chain value fell to a low of $0.109.

Upbit, a South Korean cryptocurrency exchange, shut down deposits and withdrawals for the token due to flaws found in the DeFi project’s infrastructure. In addition, the exchange stated  that the price of CRV was “experiencing significant volatility.”

Fears About Bad Debt and Contagion

There are worries that if hackers start selling their large holdings of CRV, the token’s price may drop even further. Because Curve founder Michael Egorov utilized the token as security on other loan protocols, including Aave, there is a possibility that this will spread.

A liquidation brought on by a decline in the price of CRV will impact Curve and all the protocols because Egorov has over $100 million  in CRV pledged as collateral on Aave, Inverse, and Abracadabra.

Egorov has been paying down  some of the loans in an effort to prevent liquidation. This might not, however, stop bad debt from spreading to other lending methods that were exposed to Curve.

Aave Ethereum v2 has disabled the CRV borrowing feature in the meantime. This was most likely done, according to Wu Blockchain, to stop traders from exploiting the Curve weakness to cause panic and maliciously shorting borrowed CRV to encourage serial liquidation.

Was this Article helpful? Yes No