- Curve Finance commits to reimbursing users after $62M hack.
- 79% of lost funds recovered; individual assessments for reimbursement.
- Attack exploited Vyper compiler vulnerabilities; pools affected.
Curve Finance, a prominent decentralized finance (DeFi) platform, has announced its commitment to reimbursing users who were affected by a recent hack that resulted in a substantial loss of $62 million.
The platform shared its assurance via an official statement posted on X (formerly Twitter), outlining that ongoing investigative efforts have yielded progress, with a remarkable 79% of the funds successfully recovered thus far. As a part of its restorative measures, Curve Finance has pledged to thoroughly evaluate each user impacted by the breach to ensure a fair distribution of compensation.
Quick post-hack update.
While 70% of funds affected by the hack last week are recovered, active investigation with regards to the rest is underway.
In the meantime, we are also working on measuring the respective shares of each affected user with the goal of proper distribution
— Curve Finance (@CurveFinance) August 11, 2023
The hack, which transpired on July 30, was orchestrated by malicious actors who exploited vulnerabilities inherent within the release history of Curve Finance‘s Vyper compiler. The targeted attack specifically focused on versions 0.2.15 to 0.3.0 of the Vyper compiler, an endeavor that demanded considerable expertise and substantial resources, as highlighted by industry experts.
Notably, a contributor to Viper pointed out that the hack appeared to have been meticulously planned weeks in advance of its execution. Among the affected pools were CRV/ETH, alETH/ETH, msETH/ETH, and pETH/ETH. Furthermore, concerns have arisen about a potential exploitation of the tri-crypto pool on the Arbitrum network.
The repercussions of the attack reverberated throughout the entire DeFi ecosystem, shedding light on a prevalent issue within the cryptocurrency space: the lack of adequate incentives to identify vulnerabilities in preceding software iterations.
In a surprising turn of events, a 10% bounty was extended to the individual responsible for the hack. Upon acceptance of this offer, the perpetrator initiated the process of returning the pilfered funds. According to data from Etherscan, the current value of the funds that have been returned stands at 4,821 Ether, equivalent to approximately $8,891,578 at the time of writing.