Curve Finance offers $1.85M reward to identify attacker

Once the voluntary return period expired, the Curve team proposed a reward amounting to 10% of the remaining exploited funds


WindAwake/Shutterstock, modified by Blockworks


Curve Finance is offering a bounty of $1.85 million to anyone who can assist in identifying the person responsible for exploiting their protocol, in a manner that could culminate in a lawful conviction in court.

“If the exploiter chooses to return the funds in full, we will not pursue this further,” the team behind the DeFi protocol said on Aug. 6.

On July 30, the DeFI protocol fell victim to a software bug, resulting in the loss of more than $70 million in various digital assets.

One or more attackers took advantage of vulnerable versions of a programming language known as Vyper, using them to perform re-entrancy attacks on select Curve liquidity pools.

Loading Tweet..

Curve is seen as the most structurally significant decentralized exchange in the DeFi landscape, with liquidity of $3 billion. Its importance particularly resonates in the stablecoin swap markets — an area that remained unaffected during these incidents.

On Aug. 3, Curve and other protocols impacted by the breach proposed a 10% bug bounty to the infiltrator, amounting to over $6 million. 

Some of the misappropriated assets were subsequently returned to Alchemix and JPEGd, but not the other impacted pools.

According to PeckShield, 73% of stolen funds (worth about $52.3 million) have been returned as of Monday.

Following the incident, the attacker issued an on-chain message, maintaining that their decision to return the stolen assets was motivated by a desire not to inflict additional damage on the involved projects.

“I saw some ridiculous views, so i want to clarify that I’m refunding you not because you can find me, it’s because I don’t want to ruin your project, maybe it’s a lot of money for a lot of people, but not for me, I’m smarter than all of you,” the exploiter wrote in an on-chain message.

Curve’s CRV governance token is down over 6% in the last seven days, and was last trading at $0.61. Post the attack, it briefly plummeted below $0.50, amid fears that CRV collateral used on DeFi lending platforms could be liquidated en masse.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.


Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Unlocked by Template.png


With the spot ETH ETF approval, the institutions are coming. stETH - given its dominance in marketshare, existing liquid market structures, and highly desirable properties - is poised for institutions.


Plus, Solana set a record for weekly unique active addresses on the network last week


Launching cryptocurrencies the old fashioned way may soon make a return


Kraken and CertiK brought their beef to social media after Kraken said researchers exploited $3 million through a bug


NVIDIA’s historic run is only deepening the divide between mega-cap tech stocks and the rest of the market.


EIP-7702 was quickly adopted for the next Ethereum upgrade, but developers haven’t quite locked it down