The dark clouds looming over the crypto landscape brightened a shade as Curve Finance, the well-known decentralized finance platform, has experienced a surprising twist.
Only days after a crippling hack wiped out a staggering $61 million, every single digital coin was recovered. But before you pop the champagne, let’s delve into the sequence of events that led to this unexpected U-turn.
The Heist: When Curve Finance Was Dealt a Blow
It was a chilling day for crypto enthusiasts and investors on July 30. Hackers set their eyes on Curve Finance, exploiting the platform’s vulnerabilities related to the Vyper programming language.
These loopholes led to successful reentrancy attacks, facilitating the unauthorized draining of crypto funds. Among the affected, Alchemix’s alETH-ETH pool was hit hard with losses amounting to $13.6 million.
But they weren’t alone in their misfortune. JPEGd’s pETH-ETH pool wasn’t spared either, witnessing a depletion of $11.4 million. To add to the laundry list, Metronome’s sETH-ETH pool experienced a staggering loss of over $1.6 million.
A collective gasp resonated through the community. Could this be the end of the road for these projects? Not quite.
A Bounty to Change the Tide
In the wake of the grim scenario, Curve Finance, along with Alchemix and Metronome, took an audacious step. On August 3, the trio announced a unique proposal directed at the hackers – a bug bounty program.
This wasn’t your run-of-the-mill bounty. The offer? Return 90% of the stolen funds and walk away with a generous 10% as a reward. This means the attacker would pocket a cool $7 million for their “cooperation.” Risky? Definitely. But sometimes, one has to fight fire with fire.
And here’s where things took an unexpected turn. In less than a day following the bounty announcement, funds began trickling back to their original coffers. The hacker returned 4,820.55 Alchemix ETH (alETH) initially. By August 5, every stolen coin was back in its rightful digital wallet.
While it may seem like the hacker had a change of heart, let’s not kid ourselves. An on-chain message from the attacker to the Curve and Alchemix teams laid things out plainly.
The decision to return the funds was not out of fear of being caught but more about not wanting to annihilate the projects. A ‘noble’ act? Hardly.
Furthermore, the JPEG’d team confirmed that they too received a refund, with 5,495 Ether reinstated. The icing on the cake? No legal action will be taken against the hacker. In the words of the JPEG’d team, this entire fiasco will be viewed as a “white-hat rescue.”
While this event unfolded in a rather fortunate manner for Curve Finance and other affected entities, it’s essential to acknowledge the glaring vulnerabilities in the crypto realm.
What’s the lesson here? The DeFi platforms need to up their game. This wasn’t charity or a knight in shining armor rescuing the damsel in distress. It was a calculated move by an individual or group who found it more profitable to return the money than to run with it.