Curve Finance opens $1.85M bounty to public for help recovering funds after DeFi exploits

Decentralized finance (DeFi) protocol Curve Finance (CRV) has offered a $1.85 million public bounty to recover the remaining funds stolen on its platform through a reentrancy bug on July 30.

In an on-chain message dated Aug. 6, Curve conveyed that the deadline for the hacker to voluntarily return the stolen funds had passed at 08:00 UTC on that day, with no funds returned.

Consequently, the protocol revealed it was giving the public a chance to identify the exploiter in a way that could lead to a conviction in the courts. However, the protocol offered not to pursue this path if the hacker chooses to return the funds.

On July 30, several DeFi platforms were exploited via a reentrancy attack after multiple versions of Vyper, a smart contract language for the Ethereum virtual machine (EVM), were hacked. The incident had broader implications as investors and liquidity providers withdrew over $3 billion from DeFi projects, presenting a contagion risk for the sector.

Due to this, Curve Finance offered the attacker a 10% bounty in exchange for the return of funds stolen before Aug. 6. The attacker returned some of the stolen funds to some of its victims, including Alchemix, on Aug. 5 prompting speculations that the attacker would return more of the stolen funds to the protocol.

Curve has reclaimed 73% of stolen funds.

Meanwhile, blockchain analytical firm Peckshield reported that roughly 73% of the total amount stolen in the Curve exploit had been returned as of Aug. 7.

Peckshield said $22 million in Ethereum and its derivatives, previously stolen from AlchemixFi, were successfully recovered. An ethical hacker further contributed to the project’s recovery by returning $13 million.

The firm further noted that a trading bot that front-ran the exploit of JPEGd returned 90% of the stolen ETH to the project. Additionally, another ethical hacker, c0ffeebabe.eth returned nearly $7 million to Metronome and a Curve trading pool.

Community scampers to prevent contagion

DeFi protocols are rapidly reducing their exposure to Curve’s embattled CRV token amid these developments.

On Aug. 6, the Aave community overwhelmingly approved a proposal prohibiting additional CRV borrowing on its platform. The proposal was designed to prevent the liquidation risk presented by Curve’s founder Michael Egorov’s significant debt position backed by the CRV token.

Blockchain analyst Lookonchain reported that Egorov had sold 142.6 million CRV tokens for $57 million to at least 30 different entities, including market maker Wintermute, Tron founder Justin Sun and others, via over-the-counter deals.

However, Egorov still has around $49 million in debt across different DeFi protocols.