Curve, Metronome and Alchemix offering 10% bug bounty on Vyper hack

The exploit on July 30 resulted in the theft of roughly $70 million in cryptocurrencies, bringing the bounty close to $7 million.

Decentralized finance (DeFi) platforms Curve, Metronome and Alchemix have jointly announced an initiative to recover stolen funds from the recent exploits of Curve’s pools.

According to on-chain data, the protocols are offering a 10% bounty of the stolen funds as a reward, urging those responsible for the exploit to step forward and return the remaining 90%. The exploit on July 30 resulted in the theft of roughly $70 million in cryptocurrencies, which would bring the bounty close to $7 million.

The offer comes with a guarantee of no further legal actions or involvement of law enforcement. “We want to resolve this in a civilized manner,” says the message included in the transaction.

“You will have no risk of us pursuing this further, no risk of law enforcement issues,” the protocols said in a joint statement, adding:

“If you choose not to partake in the voluntary return and complete the process by 6 August at 0800 UTC, we will expand the bounty to the public, and offer the full 10% to the person who is able to identify you in a way that leads to your conviction in the courts. We will pursue you from all angles with the full extent of the law.” 

The trio has provided a direct channel for communication via curvenegotiation@protonmail.com and urged the responsible parties to respond immediately. It also emphasized that any individuals reaching out for negotiations must verify their ownership of the email address on-chain.

The attack occurred due to a critical vulnerability in versions of the Vyper programming language. Several pools using Vyper 0.2.15, 0.2.16 and 0.3.0 were targeted by a malfunctioning reentrancy lock, affecting four liquidity pools on Curve Finance.

The security incident has delivered a fresh sense of uncertainty across the crypto community, raising concerns about a possible domino effect on the DeFi ecosystem. Curve Finance’s native stablecoin, crvUSD, briefly depegged on Aug. 3, reacting to the hazy circumstances surrounding the protocol after the exploit.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Leave a Reply

Your email address will not be published. Required fields are marked *

Please enter CoinGecko Free Api Key to get this plugin works.