Curve, Metronome and Alchemix offering 10% bug bounty on Vyper hack
The exploit on July 30 resulted in the theft of roughly $70 million in cryptocurrencies, bringing the bounty close to $7 million.
Decentralized finance (DeFi) platforms Curve, Metronome and Alchemix have jointly announced an initiative to recover stolen funds from the recent exploits of Curve’s pools.
According to on-chain data, the protocols are offering a 10% bounty of the stolen funds as a reward, urging those responsible for the exploit to step forward and return the remaining 90%. The exploit on July 30 resulted in the theft of roughly $70 million in cryptocurrencies, which would bring the bounty close to $7 million.
Dear hacker, you've got an incoming messagehttps://t.co/ZKJjrO65PX
— Curve Finance (@CurveFinance) August 3, 2023
The offer comes with a guarantee of no further legal actions or involvement of law enforcement. “We want to resolve this in a civilized manner,” says the message included in the transaction.
“You will have no risk of us pursuing this further, no risk of law enforcement issues,” the protocols said in a joint statement, adding:
“If you choose not to partake in the voluntary return and complete the process by 6 August at 0800 UTC, we will expand the bounty to the public, and offer the full 10% to the person who is able to identify you in a way that leads to your conviction in the courts. We will pursue you from all angles with the full extent of the law.”
The trio has provided a direct channel for communication via [email protected] and urged the responsible parties to respond immediately. It also emphasized that any individuals reaching out for negotiations must verify their ownership of the email address on-chain.
The attack occurred due to a critical vulnerability in versions of the Vyper programming language. Several pools using Vyper 0.2.15, 0.2.16 and 0.3.0 were targeted by a malfunctioning reentrancy lock, affecting four liquidity pools on Curve Finance.
The security incident has delivered a fresh sense of uncertainty across the crypto community, raising concerns about a possible domino effect on the DeFi ecosystem. Curve Finance’s native stablecoin, crvUSD, briefly depegged on Aug. 3, reacting to the hazy circumstances surrounding the protocol after the exploit.
Magazine: Should crypto projects ever negotiate with hackers? Probably