Curve Finance Extends $1.85M Bug Bounty to Public Following Expiration of Return Deadline

Curve Finance, together with Metronome and Alchemix joined forces on August 3 to offer a 10% bounty totaling about $7M to the hacker, following an exploit that drained over $70M from its pools on July 30. 

Subsequently, the attacker returned the stolen assets to Alchemix and JPEGd but failed to refund the other impacted pools. With the deadline now expired, Curve Finance is extending the bounty to the public, offering assets worth $1.85 million to anyone who can identify the exploiter.

In an on-chain message, Curve Finance stated, "The deadline for the voluntary return of funds in the Curve exploit passed at 0800 UTC. We now extend the bounty to the public and offer a reward valued at 10% of remaining exploited funds (currently $1.85M USD) to the person who is able to identify the exploited in a way that leads to a conviction in the courts. If the exploiter chooses to return the funds in full, we will not pursue this further."

Before returning the funds, the attacker left a message seemingly directed at the Alchemix and Curve teams, claiming they were refunding not because of fear of detection but because they did not want to harm the projects involved.

The attack targeted stable pools using vulnerable versions of the Vyper programming language through reentrancy attacks, raising concerns about security vulnerabilities in DeFi projects. Efforts to recover stolen funds have been ongoing across the DeFi ecosystem over the past week.