Curve Promises to Return Stolen Funds to Users

Reading Time: 2 minutes
  • DeFi platform Curve Finance has announced plans to reimburse users after a $62 million hack, with 79% of funds recovered
  • The hack targeted vulnerabilities in the Vyper compiler, affecting pools like CRV/ETH and alETH/ETH
  • The attacker received a 10% bounty and has returned around $8.9 million worth of Ether

DeFi platform Curve Finance has committed to compensating users following a $62 million hack, having successfully recovered about 79% of the stolen funds. The attack exploited vulnerabilities in Curve Finance’s Vyper compiler, impacting pools such as CRV/ETH and alETH/ETH, although the attacker has returned approximately $8.9 million worth of Ether. The incident underscores broader security concerns within the DeFi ecosystem and highlights the need for improved vulnerability detection and incentives for cybersecurity.

Curve Will Conduct Individual Assessments

Curve announced in an X (formerly Twitter) post that it plans to distribute the 79% of stolen funds that have been successfully recovered, with the platform set to individually evaluate each affected user’s claim. This customized assessment approach is aimed at ensuring a fair and just distribution of restitution among the impacted parties:

The attack, which unfolded on July 30, exploited vulnerabilities in the release history of Curve Finance’s Vyper compiler, highlighting a critical security breach; the attacker strategically targeted versions 0.2.15 to 0.3.0 of the Vyper compiler. This action required a high level of technical expertise and substantial resources, a fact emphasized by industry experts who have since commented on the matter.

Impact Has Been Felt Industry-wide

The ramifications of the Curve attack have reverberated throughout the entire DeFi landscape, bringing into sharp focus an underlying issue within the cryptocurrency sector. Namely, the lack of appropriate incentives to uncover vulnerabilities in previous iterations of software has been highlighted by this incident.

As has been a custom in recent months, a bounty amounting to 10% was offered to the perpetrator, which he accepted, saying that he was only returning the funds because he “didn’t want to ruin” the project, adding, “Maybe it’s a lot of money for a lot of people, but not for me, I’m smarter than all of you.”