Earlier last weekend, the DeFi world was jolted by the news that Curve Finance, a prominent stablecoin exchange at the heart of Ethereum's decentralized finance ecosystem, had fallen victim to a significant exploit. Unlike traditional financial services that rely on intermediaries, Curve leverages smart contracts to offer a wide range of financial services, including stablecoin borrowing, trading, and lending, providing users with the opportunity to earn annual yields of up to 4% by participating in various pools on the platform.
The exploit, reportedly due to a "re-entrancy" bug present in Vyper, a programming language that powers certain aspects of Curve's system, dealt a severe blow to the platform. The exploit revealed a vulnerability that hackers swiftly exploited to drain several stablecoin pools, critically impacting the pricing and liquidity for numerous DeFi services. This security flaw allowed attackers to repeatedly trick the smart contract by making multiple calls to the protocol, enabling them to pilfer assets undetected. The affected pools included crv/eth, aleth/eth, mseth/eth, and peth/eth. Although the exact extent of the damage was initially uncertain, blockchain auditing firm BlockSec estimated that losses amounted to over $42 million in its preliminary analysis.
Tarun Chitra, the CEO and founder of Gauntlet, a crypto risk modeling firm, estimated that the hacker managed to abscond with around $20 million worth of CRV and a version of ether, adding to the gravity of the situation.
Curve’s Response
In the aftermath of the exploit, Curve Finance, along with other impacted projects, chose an unconventional path to recover the stolen assets. They extended an offer to the hackers, proposing a 10% bounty in exchange for returning the remaining tokens. An on-chain message, directed to the hacker's Ethereum address, conveyed this offer on behalf of Curve, Metronome, and Alchemix.
The trio assured the hacker that if they complied and returned the stolen funds before the deadline of August 6, 0800 UTC, there would be no further pursuit or legal action. Instead, the bounty would act as a reward for the hacker's cooperation. However, if the hacker refused to comply, the bounty would then transform into a vigilante payout for anyone providing information leading to the hacker's identification, arrest, and conviction. The impacted projects made it unequivocally clear that they would employ all legal means to recover the assets.
"We will pursue you from all angles with the full extent of the law," – Curve, Metronome and Alchemix How ominous
Return Of The Crypto
In an unexpected twist, the hacker responsible for the $61 million exploit engaged in talks with Alchemix, one of the affected projects, and commenced returning the stolen assets. Blockchain data corroborated this development, revealing that the hacker transferred 4,820 ether (ETH) amounting to approximately $8.9 million to Alchemix's multisig wallet.
This encouraging turn of events kindled hope among the impacted projects that most of the stolen assets could potentially be recovered. Notably, the hacker's cooperation followed Curve Finance and other affected platforms' offer of a 10% bounty to encourage asset return by the end of the week. The news of the returned assets had a positive impact on CRV, Curve's governance token, leading to a 5% surge during the day. The incident stands as one of the most dramatic crypto exploits witnessed in 2023, emphasizing the determination of DeFi projects to reclaim stolen funds and fortify the ecosystem against vulnerabilities.
Under Pressure
In related news, Curve Finance founder Michael Egorov is now under considerable pressure to address his $80 million in on-chain debt following the recent drop in the price of the Curve (CRV) token and the exploit that impacted the platform. In a bid to alleviate the financial burden, Egorov has initiated a new round of over-the-counter (OTC) sales of CRV tokens, successfully selling 25 million CRV tokens for $10 million through Wintermute Trading in two transactions.
These OTC deals have allowed Egorov to make progress in paying down his borrows from various entities such as Aave, Abracadabra, FraxLend, and Inverse Finance. However, the debt is still significant, and the founder is wary of potential contagion risks if the CRV token's price drops further. Fearful of a scenario where CRV's price hits $0.368, DeFi risk management firm Gauntlet has raised concerns about Aave potentially needing to sell Egorov's CRV collateral into a low-liquidity market, which could be risky.
Despite these challenges, the price of CRV has shown some resilience after experiencing a decline of more than 20% since the recent exploit, with CRV’s price having recently risen to $0.61 at the time of writing following the news of the hacker potentially returning the stolen funds from the exploit.