• Alchemix, JPEGd and Metronome’s pools were drained of over $61 million in cryptocurrencies by the Curve Finance hacker.
• The attacker began returning stolen funds after accepting a bug bounty of almost $7 million.
• JPEGd has been refunded, confirming that 5,495 Ether has been returned by the hacker.
Attack on Curve Finance
On July 30, Lending platform Alchemix reported a major attack on Curve Finance which resulted in over $61 million in cryptocurrencies being drained from their alETH-ETH pool along with JPEGd’s pETH-ETH pool seeing outflows of $11.4 million and Metronome’s sETH-ETH pool was drained in over $1.6 million. The hacker targeted stable pools on Curve Finance using vulnerable versions of the Vyper programming language through reentrancy attacks.
Bug Bounty Offer
To recover stolen funds, Curve, Metronome and Alchemix jointly announced an initiative offering a 10% bounty of the seized funds as a reward and urging those responsible for the exploit to return the remaining 90%. This would bring the total bounty close to $7 million. In less than 24 hours after the offer was made, the original attacker began returning funds stolen a few days earlier sending back 4,820.55 Alchemix ETH (alETH) to Alchemix Finance team before completing the transaction on Aug 5th.
Nonfungible token protocol JPEG’d also reported that all its stolen funds had been refunded – 5,495 Ether had been returned by the hacker – as part of this bug bounty offer and it will not take legal action against them as they view this occurrence as a white-hat rescue.
Message from Hacker
The hacker posted an on-chain message claiming to be willing to return all funds but only because they did not want to “ruin” projects involved: “I’m refunding not because you can find me, it’s because I don’t want to ruin your project”.
Alchemix announced that all funds stolen by the hacker have now been returned with no further investigations or legal matters planned against them due to this white-hat rescue mission taking place.