In the latest response to the recent reentrancy exploit, Curve Finance and other affected protocols launched a 10% bug bounty worth more than $6 million to incentivize the hacker to return the funds. Although the hacker returned some assets, not all were recovered. As the voluntary return deadline has lapsed, Curve Finance is now extending the bug bounty to the public, offering $1.85 million in assets to anyone who can identify the DeFi exploiter.

A Closer Look at the Attack and Hacker’s Actions

Curve Finance (Source: Zipmex)
Source: ZipMex

The attack on Curve Finance, which took place on July 30, resulted in a massive loss of over $61 million in cryptocurrencies from various pools, including $13.6 million from Alchemix’s alETH-ETH, $11.4 million from JPEGd’s pETH-ETH, and $1.6 million from Metronome’s sETH-ETH. The hacker targeted stable pools using vulnerable versions of the Vyper programming language through reentrancy attacks.

Read more: Curve Finance Hacker Initiates Funds Return After Receiving The “Final Warning”

Following the attack, Curve and other affected protocols offered the hacker a 10% bug bounty, amounting to more than $6 million, as an incentive to return the stolen funds. The hacker decided to return the funds to Alchemix and JPEG’d but refused to refund the remaining affected pools. In an on-chain message, the hacker stated that they were refunding the funds not because they feared being identified, but rather to avoid jeopardizing the projects involved. The message conveyed an arrogant stance, boasting that the returned amount was insignificant to the hacker, claiming to be smarter than anyone else involved.

MEXC Banner Ads - 970x90

Curve Finance Extending the Bug Bounty and Implications

With the voluntary return deadline having passed, Curve Finance has taken the step of extending the bug bounty offer to the public. They are now offering a reward equivalent to 10% of the remaining exploited funds, valuing around $1.85 million, to anyone who can identify the exploiter in a manner that leads to a conviction in the courts. Curve clarified that if the attacker chooses to return all embezzled funds in full, they will not pursue further legal action.

The move to extend the bug bounty to the public is a significant development in the aftermath of the DeFi exploit. It demonstrates Curve Finance’s determination to identify and hold the attacker accountable for the security breach. Additionally, the incident highlights the importance of vulnerability assessment and security measures within DeFi protocols, as the decentralized nature of these platforms can make them susceptible to sophisticated attacks.


Curve Finance’s response to the recent security breach showcases the challenges and risks faced by DeFi protocols in the ever-evolving landscape of blockchain technology. By offering a substantial bug bounty, Curve aims to incentivize individuals and the broader community to assist in identifying the exploiter responsible for the attack. As the DeFi sector continues to grow, security remains a top priority, and initiatives like bug bounties play a crucial role in bolstering the resilience and trustworthiness of these platforms.

Follow CoinWire on Google News

MEXC Banner Ads - 300x250