Curve, Metronome and Alchemix offering 10% bug bounty on Vyper hack
Decentralized finance (DeFi) platforms Curve, Metronome and Alchemix have jointly announced an initiative to recover stolen funds from the recent exploits of Curve’s pools.
According to on-chain data, the protocols are offering a 10% bounty of the stolen funds as a reward, urging those responsible for the exploit to step forward and return the remaining 90%. The exploit on July 30 resulted in the theft of roughly $70 million in cryptocurrencies, which would bring the bounty close to $7 million.
Dear hacker, you’ve got an incoming messagehttps://t.co/ZKJjrO65PX
— Curve Finance (@CurveFinance) August 3, 2023
The offer comes with a guarantee of no further legal actions or involvement of law enforcement. “We want to resolve this in a civilized manner,” says the message included in the transaction.
“You will have no risk of us pursuing this further, no risk of law enforcement issues,” the protocols said in a joint statement, adding:
“If you choose not to partake in the voluntary return and complete the process by 6 August at 0800 UTC, we will expand the bounty to the public, and offer the full 10% to the person who is able to identify you in a way that leads to your conviction in the courts. We will pursue you from all angles with the full extent of the law.”
The trio has provided a direct channel for communication via firstname.lastname@example.org and urged the responsible parties to respond immediately. It also emphasized that any individuals reaching out for negotiations must verify their ownership of the email address on-chain.
The attack occurred due to a critical vulnerability in versions of the Vyper programming language. Several pools using Vyper 0.2.15, 0.2.16 and 0.3.0 were targeted by a malfunctioning reentrancy lock, affecting four liquidity pools on Curve Finance.
The security incident has delivered a fresh sense of uncertainty across the crypto community, raising concerns about a possible domino effect on the DeFi ecosystem. Curve Finance’s native stablecoin, crvUSD, briefly depegged on Aug. 3, reacting to the hazy circumstances surrounding the protocol after the exploit.
Magazine: Should crypto projects ever negotiate with hackers? Probably