Lending platform Alchemix has announced that it has successfully recovered all of the stolen funds from the recent hack on Curve Finance. The attack, which occurred on July 30, resulted in over $61 million in cryptocurrencies being drained, including $13.6 million from Alchemix’s alETH-ETH pool.
The hacker targeted the stable pools on Curve Finance using vulnerable versions of the Vyper programming language through reentrancy attacks. Along with Alchemix, other pools like JPEGd’s pETH-ETH and Metronome’s sETH-ETH were also affected, with outflows of $11.4 million and over $1.6 million, respectively.
However, a positive turn of events came when the hacker accepted a bug bounty offer. On August 3, Curve, Metronome, and Alchemix jointly announced an initiative to recover the stolen funds. They offered a 10% bounty of the seized funds as a reward and urged the responsible party to return the remaining 90%, which would amount to approximately $7 million.
Less than 24 hours after making the offer, the original attacker began returning the stolen funds. The first transaction took place on August 5, when 4,820.55 Alchemix ETH (alETH) was sent back to the Alchemix Finance team. The subsequent transaction completed the return of the funds.
In an on-chain message directed towards the Alchemix and Curve teams, the attacker stated their willingness to return the funds. However, the message also emphasized that this decision was not due to fear of being caught but rather out of concern for not wanting to “ruin” the projects involved.
The hacker’s actions have also extended to the nonfungible token protocol JPEGd, which confirmed that 5,495 Ether has been returned. As part of the bounty offer, JPEGd has decided not to pursue any legal action against the perpetrators. Instead, the protocol describes this occurrence as a “white-hat rescue.”
The return of all stolen funds brings relief to Alchemix, Curve, Metronome, and JPEGd, as they can now focus on strengthening their platforms and enhancing security measures to prevent similar incidents in the future. This event also highlights the significance of bug bounty programs in recovering compromised funds and incentivizing hackers to act responsibly.
As the recovery process concludes, the concerned parties will likely release a postmortem report detailing the vulnerabilities that were exploited and the steps taken to prevent future attacks. This incident serves as a reminder for decentralized finance platforms to remain vigilant and prioritize security to safeguard users’ investments and maintain trust within the industry.
In conclusion, the return of the stolen funds by the hacker marks a positive outcome in the aftermath of the attack on Curve Finance. The collaborative effort between Alchemix, Curve, Metronome, and JPEGd, along with the acceptance of the bug bounty offer, has ensured the recovery of the majority of the stolen funds. Going forward, it is crucial for these platforms to continue enhancing their security protocols and learning from these incidents to protect user funds and uphold the integrity of decentralized finance.
Source link