Curve Finance, a prominent decentralized finance (DeFi) protocol, has recognized the efforts of a security researcher by granting them a $250,000 reward. The researcher, identified as Marco Croc from Kupia Security, uncovered a critical vulnerability within the protocol. This flaw has historically been exploited by hackers to illicitly withdraw millions of dollars from various cryptocurrency protocols.
Marco Croc’s discovery pinpointed a reentrancy vulnerability within Curve Finance. This flaw could potentially be exploited to manipulate balances and withdraw funds from liquidity pools. Recognizing the gravity of this issue, Curve Finance conducted an exhaustive investigation and opted to award Marco Croc the maximum bounty available for their contribution.
Curve Finance Incentivizes White Hat Hacking
Although the threat was deemed “not as dangerous,” Curve Finance acknowledged the potential for panic had a security incident transpired. Through this reward, Curve Finance aims to encourage responsible security research and fortify its defenses against potential exploits.
This development follows Curve Finance’s rebound from a $62 million hack in July. As part of the protocol’s restoration efforts, it recently decided to reimburse $49.2 million worth of assets to liquidity providers (LPs). The disbursement, approved by 94% of tokenholders, covers losses incurred in the Curve, JPEG’d (JPEG), Alchemix (ALCX), and Metronome (MET) pools.
The reimbursement plan involves utilizing Curve DAO (CRV) tokens from the community fund and takes into consideration tokens recovered since the incident. This results in a final distribution of 55,544,782.73 CRV.
The reimbursement calculations entail recovering 5,919.2226 ETH and 34,733,171.51 CRV.
The vulnerability exploited by the attacker targeted stable pools and affected specific versions of the Vyper programming language. Versions 0.2.15, 0.2.16, and 0.3.0 of Vyper were identified as susceptible to reentrancy attacks, which the attacker utilized for unauthorized fund withdrawals.
April Records Lowest Crypto Hack Losses
In April, the cryptocurrency industry witnessed a significant decrease in combined losses attributed to hacks and scams. It marked the lowest total losses since 2021, with approximately $25.7 million lost due to various exploits, hacks, and scams.
To delve deeper, the month recorded only $25.7 million in losses from attacks, marking the lowest figure since CertiK began monitoring such data in 2021. Flash loan attacks contributed to $129,000 in losses, with the most significant incident resulting in $55,000 in damages.
This notable decline in flash loan attacks represents the lowest incidence since February 2022, while exit scams led to a loss of $4.3 million.
Reports indicate that the first quarter of this year witnessed a total of $336 million lost to Web3 hackers and fraud, with nearly half of the capital stolen in January alone. However, this figure marks a 23% decrease compared to the first quarter of 2023.
Additionally, it’s noteworthy that $73,885,000 has been recovered from stolen Web3 capital in seven specific situations.