Curve, a decentralized finance (DeFi) protocol, recently experienced a significant attack that led to the draining of over $61 million from its pools on July 30. To identify the responsible exploiter, Curve is offering a substantial reward of $1.85 million. This reward announcement came after the deadline for the return of the funds had passed without any voluntary action from the exploiter.
The attacker employed a technique known as a “reentrancy attack,” taking advantage of vulnerabilities in certain versions of the Vyper programming language used in Curve’s stable pools. Such attacks are a common security issue in smart contracts, particularly on platforms like Ethereum. The attacker exploited a loophole that allowed them to repeatedly call a function in the smart contract before the previous call had been completed.
To address the issue and encourage others to find vulnerabilities, Curve and other affected protocols initially offered a 10% bug bounty, which amounted to more than $6 million, to the exploiter. Following this, the attacker returned some of the stolen assets to Alchemix and JPEGd, but unfortunately, they did not refund the other affected pools.
How does Reentrancy Attack work?
A reentrancy attack works by recursively calling a function that withdraws funds from a contract, enabling the attacker to drain funds. In this case, the attacker managed to drain more than $61 million from several of Curve’s stable pools, underscoring the severity of the attack and its potential impact on DeFi.
This incident highlights the critical importance of implementing robust security practices and conducting thorough code reviews when developing smart contracts. Even in the relatively mature DeFi space, the risk of vulnerabilities like reentrancy attacks remains, necessitating constant vigilance and strong security measures from DeFi projects.
Curve Finance has now extended a reward equivalent to 10% of the remaining exploited funds (currently $1.85 million) to anyone who can identify the attacker and ensure their legal conviction. However, Curve has stated that they will not pursue the matter further if the exploiter chooses to return the stolen funds in full.
Before returning some of the funds, the exploiter sent a message to the Alchemix and Curve teams, stating that the refund was not due to fear of being caught but rather out of consideration for not wanting to cause harm to the projects.
The attack on July 30 affected several of Curve’s pools, impacting projects such as Alchemix, JPEGd, and Metronome, leading to significant losses. This exploit exposed vulnerabilities across various DeFi projects, prompting the industry to rally together to recover the stolen funds.