Curve Offers $1.89 Million Bounty On Hacker

Following the multi-million hack of Curve on July 30, the team have offered 10% of the stolen amount as a bounty for the "person who is able to identify the exploiter in a way that leads to a conviction in the courts."

The move comes after a deadline given to the hacker to return the stolen funds passed.

It’s never too late to be what you might have been - a whitehat https://t.co/8GAoEikTUM pic.twitter.com/YYBYgXeZm7
— emiliano.oO (@emilianobonassi) August 3, 2023

Several pools were affected by the attack, in which the hacker exploited a vulnerability in Vyper, the smart contract programming language used to code the dApp. Overall, more than $60 million was stolen, including from pools for the Alchemix and JPEGd protocols.

Two-Thirds Of Funds Recovered

More than $40 million was returned by the attacker, or intercepted by white hat hackers, including the Alchemix and JPEGd funds. However, the hacker did not return Curve's funds by the deadline, even with the incentive of a 10% reward ($1.89 million) and will now be hunted by the crypto community. They can still walk away with no further legal consequences if they return the requested 90%.

It's unclear how effective the strategy will be, since it's possible the hackers were a state-sponsored organization, like North Korea's Lazarus Group, who have been responsible for major incidents including the $600 million Ronin Bridge exploit in 2022.

The hacker also doesn't seem that interested in dealing with those who threaten them. "I saw some ridiculous views, so i want to clarify that I'm refunding you not because you can find me, it's because I don't want to ruin your project, maybe it's a lot of money for a lot of people, but not for me, I'm smarter than all of you, fuck!!!" they stated in a message added to a transaction that returned funds to some of those affected.

Wider Problems

The Curve hack has prompted broader concerns within the crypto space, as the price of Curve's native CRV token has plummeted. This, in turn, could have serious second-order consequences for other DeFi protocols.

Curve founder Michael Egorov has taken out a huge loan to buy a mansion, using CRV as collateral on multiple platforms including Aave, Fraxlend, Abracadabra, and Inverse Finance. All of these have scrambled to mitigate the risk of accruing bad debt as the liquidity for CRV dries up. CRV crashed from $0.73 to $0.50 as news of the hack spread, though has since regained some ground to stabilize at $0.62.

1/ Yesterday, several @CurveFinance pools were exploited.

Curve founder, Michael Egorov, currently has a ~$100M loan backed by 427.5m $CRV (about 47% of the entire CRV circulating supply).

With $CRV down 10% over the past 24 hours, the health of Curve is in jeopardy. 🧵⬇️ pic.twitter.com/EKpQCkDs6W
— Delphi Digital (@Delphi_Digital) August 1, 2023

Egorov has paid down some of the debt without further harming the market by selling CRV at a discount to OTC buyers, with a vesting period, including Tron's Justin Sun.

Subscribe to our newsletter and follow us on Twitter.