Coinbase, the leading U.S. cryptocurrency exchange, has inadvertently profited by approximately $1 million due to the $73 million hack of Curve Finance in July. Despite this, the exchange has not taken steps to reimburse the victims of the hack.
This interesting turn of events stems from a particular quirk of the DeFi ecosystem.
Back in July Curve Finance, a decentralized finance (DeFi) platform, experienced a massive exploit where roughly $73 million worth of digital assets were stolen from Curve. The hack temporarily disrupted Curve's asset-pricing mechanism, enabling astute traders to exploit price disparities. Capitalizing on this unique opportunity, a trading bot acquired the remaining assets at a significant discount and subsequently sold them for profit, paying 570 ETH (Ethereum) to ensure rapid transaction processing, and marking the second-largest payout in Miner Extractable Value (MEV) history, a practice optimizing transaction order for maximum profit.
The Ethereum network relies on validators, and there are a lot of them around. However, in this specific instance, it was Coinbase that served as the validator receiving the payment. This led to the exchange becoming an unintended beneficiary of the exploit, to the tune of roughly $1 Million. So far, Coinbase has not shown any intention to return the funds to the victims of the exploit, however, it also isn’t actually obligated to do so either.
Following the hack, Alchemix, a victim of the Curve exploit incurring losses of $22 million, approached Coinbase seeking restitution for the affected parties. However, Coinbase turned down the requests to return the money it earned from the hack. While Alchemix has argued that Coinbase is keeping stolen funds, Coinbase claims there is no legal obligation to reimburse the victims and has thus far shown no willingness to return the funds.
Most of the stolen assets have been returned since the exploit, including $22 million worth of stolen ETH and alETH from the exploiter along with a substantial portion by a white-hat hacker and a trading bot operator. Even the arbitrage trading bot that profited from the imbalance – the very transaction that Coinbase profited from – returned its 43ETH profit after being approached by the Alchemix team, however, Coinbase has not followed suit.
Despite Alchemix's efforts to negotiate the return of the funds, Coinbase has cited neutrality and decentralization principles, arguing against any responsibility to prevent blockchain crimes, similar to how highways are not responsible for crimes committed on them.
Ethics and Code
This situation highlights the complex ethical considerations surrounding crypto theft, as well as the challenges in enforcing accountability and restitution in a decentralized ecosystem.
This incident highlights the tension between the decentralized, "code is law" ethos of blockchain-based finance and the challenges faced by victims of crypto theft in seeking redress. With over $735 million in digital assets stolen in hacks this year alone, the difficulties in recovering such funds often deter potential users from embracing cryptocurrency at all.
The Coinbase-Curve situation really sheds some light on the intricate and tenuous asset-recovery process that ensues after crypto hacks. The complexity of crypto trading algorithms and the spontaneity of arbitrage opportunities make it challenging to trace the destination of stolen funds. As a result, beneficiaries of crypto thefts, often unintentional, receive unexpected fees for running certain blockchain infrastructure.
Coinbase's position in this matter raises questions about whether the company should reimburse victims with funds earned indirectly from the hack. However, whether Coinbase’s position is justified or whether these funds even qualify as "dirty money" to begin with remains a subject open to interpretation.