Lucy Jane Curve Finance, a decentralized finance (DeFi) protocol, offers a bug bounty to anyone who can identify the exploiter who drained over $61 million from its pools on July 30.
Curve and other protocols affected by the attack offered a 10% bug bounty, aggregating over $6 million, to the hacker on August 3.
Accepting the offer, the intruder returned stolen assets to Alchemix and JPEGd but not to other affected pools.
As the deadline has passed, anyone identifying the perpetrator will now receive $1.85 million in assets.
“The voluntary return of funds deadline for the Curve exploit has passed at 08:00 UTC.” We are now extending the bounty to the public and offering a reward of 10% of the remaining exploited funds (currently $1.85 million) to anyone who can identify the exploiter in a way that leads to a court conviction.
If the exploiter chooses to return the funds in full, we will not pursue this matter further.
Before returning the funds, the assailant posted a message that appeared to have been directed at the Alchemix and Curve teams, claiming that they were only willing to return the funds because they didn’t want to derail the respective projects.
The on-chain message reads, “I’m refunding not because you can find me but because I don’t want to ruin your project.”
The 30th of July attack resulted in the theft of over $61 million worth of cryptocurrencies from Curve’s pools, including $13.6 million from Alchemix’s alETH-ETH, $11.4 million from JPEGd’s pETH-ETH, and $1.6 million from Metronome’s sETH-ETH.
Using reentrancy attacks, the intruder targeted stable pools utilizing vulnerable versions of the Vyper programming language.
The exploit exposed vulnerabilities across DeFi initiatives and prompted efforts across the ecosystem to recover stolen funds over the past week.