Curve Finance has placed a $1.85 million bounty on the attacker that stole over $73 million from the platform recently. The bounty goes to anyone who can identify the attacker in a way that can bring him conviction in court.
This is in spite of the hacker voluntarily returning some of the looted funds. The attacker had stolen a total of $73.5 million, out of which he has refunded $53 million, roughly 70% of the total to the project.
Curve says it would only suspend the bounty if the attacker returns the full amount by a deadline which is already past, and so is going on with the hunt.
“The deadline for the voluntary return of funds in the Curve exploit passed at 0800 UTC,” Curve publicly wrote in an Ethereum transaction’s input data, adding: “We now extend the bounty to the public, and offer a reward valued at 10% of remaining exploited funds (currently $1.85M USD) to the person who is able to identify the exploiter in a way that leads to a conviction in the courts.”
Stolen funds returned
The attack on Curve happened on 30 July, as the exploiter utilized vulnerable versions of the Vyper programming language to execute reentrancy attacks on targeted stable pools. The attack targeted several pools, including JPEGd, Metronome, and Alchemix.
Of the targeted pools, funds stolen on Alchemix’s alETH-ETH amounting to $22 million – more than 12,000 ether (ETH) – has been fully returned. Also, 90% of the assets drained from JPEGd’s pETH-ETH pool, amounting to 5,495 ETH ($11.5 million) has been refunded.
Similarly, the misappropriated funds from Metronome’s sETH-ETH pool and Curve Finance’s CRV-ETH main pool – $7 million in total – were returned by an MEV bot operator going by the ENS name c0ffeebabe.eth.
According to blockchain security firm PeckShield, there’s still an outstanding $19.7 million in stolen funds yet to be returned, for which Curve is offering the bounty.
Attacker being considerate
The attacker that returned the stolen funds has also sent a message to Curve, indicating that he was only being considerate. He wrote in a transaction that he was refunding because he did not want the project to crash, and not for fear of being caught.
“I want to clarify that I’m refunding you not because you can find me, it’s because I don’t want to ruin your project,” they explained in a transaction, adding: “Maybe it’s a lot of money for a lot of people, but not for me, I’m smarter than all of you.”
It remains to be seen if Curve is able to catch and convict the assailant in accordance with the terms of the bounty, but it would be a major breakthrough if they can.