Curve Offers $1.85 Million Reward to Identify CRV-ETH Pool Hacker
After the deadline for the hacker to negotiate and receive a 10% reward expired, Curve Finance has decided to offer a bounty to the entire community to track down the hacker.
Curve Finance Offers $1.85 Million Bounty
On the morning of August 07, Curve Finance announced a $1.85 million reward for anyone who can track down and expose the individual behind the attack on the CRV-ETH pool on July 31, which resulted in the theft of approximately $18.5 million in CRV and WETH.
The attack on Curve began on the evening of July 30, when a vulnerability in the liquidity pools using the Vyper language allowed hackers to exploit the system. The affected projects included:
- JPEG'd: approximately $11 million
- Metronome: approximately $1.6 million
- Alchemix: $20.6 million + $11 million (returned by white-hat hacker)
- CRV-ETH Pool: $19 million still held by the hacker + $5.3 million returned by white-hat hacker coffeebabe.eth
lmaoooooooooo pic.twitter.com/YNXvqNcyKI
— merp (@0xMerp) August 4, 2023
Initially, Curve offered a deal allowing the hackers to return the stolen assets and keep 10% as a bug bounty. On August 04 and 05, hackers who had exploited the JPEG’d and Alchemix pools returned the stolen funds, amounting to around $30 million.
However, at least two hackers who exploited the Metronome and CRV-ETH pools have yet to return over $20 million. The Curve team issued the following message to the wallet address of the CRV-ETH hacker:
The deadline for the CRV/ETH exploiter passeshttps://t.co/VphQ0bfYr2 pic.twitter.com/x8LP9Tx4rs
— Curve Finance (@CurveFinance) August 6, 2023
"The deadline to voluntarily return funds to Curve has passed as of 03:00 PM (August 06, Vietnam time). We are now offering a community-wide bounty of 10% of the stolen amount (currently valued at $1.85 million) for anyone who can identify the attacker and bring them to justice.
If the hacker returns the entire amount now, the prosecution request will be withdrawn."
Hacker Responses and Community Reactions
The hacker who attacked the Alchemix pool returned the funds but left a threatening message:
note: is missing stuff, especially stuff that happened in the time it took to write this tweet pic.twitter.com/ozr8KXX5Nm
— Tay 💖 (@tayvano_) July 31, 2023
"I want to make it clear that I am returning the funds not because you can find me, but because I do not want to ruin your project. This is a large amount of money for many people, but not for me. I am smarter than all of you."
In the past, several DeFi attacks have seen hackers voluntarily return the entire stolen amount to avoid criminal prosecution, including Poly Network ($611 million - August 2021), Optimism ($20 million - June 2022), Mango Markets ($114 million - October 2022), and Euler Finance ($197 million - March 2023).
However, not all hackers return the stolen funds. Recently, Arkham Intelligence offered a $46,000 reward for information on the hacker who attacked FTX in November 2022, stealing over $300 million just hours after the platform declared bankruptcy.
