The attacker started returning stolen funds after accepting nearly $7 million in bug bounty. Funds had been returned to Alchemix and JPEGd.
Lending platform Alchemix has announced the return of all stolen funds by the Curve finance hacker. The attack took place on July 30 and resulted in over $61 million in cryptocurrencies drained, including $13.6 million from Alchemix’s alETH-ETH pool.
Along with Alchemix, JPEGd’s pETH-ETH pool saw outflows of $11.4 million, and Metronome’s sETH-ETH pool was drained in over $1.6 million. The hacker targeted stable pools on Curve Finance using vulnerable versions of the Vyper programming language through reentrancy attacks.
We are extremely happy to announce that all funds stolen by the hacker of the Alchemix @CurveFinance pool have now been returned.
Full post mortem coming.
— Alchemix (@AlchemixFi) August 5, 2023
The return of funds started after the hacker accepted a bug bounty offer. Curve, Metronome and Alchemix jointly announced an initiative to recover stolen funds on Aug. 3, offering a 10% bounty of the seized funds as a reward, and urging those responsible for the exploit to return the remaining 90%, which would bring the bounty close to $7 million.
In less than 24 hours after the offer, the original attacker began returning funds stolen a few days earlier, initially sending back 4,820.55 Alchemix ETH (alETH) to the Alchemix Finance team, before completing the transaction on Aug. 5
The attacker posted a message that seems to have been directed at the Alchemix and Curve teams, claiming to be willing to return the funds but only because the person didn’t want to “ruin” the projects involved.
“I’m refunding not because you can find me, it’s because I don’t want to ruin your project,” reads the on-chain message.
Nonfungible token protocol JPEG’d has also been refunded, confirming that 5,495 Ether has been returned by the hacker. As part of the bounty offer, the protocol will not take legal action against the perpetrators.
“Any further investigations or legal matters against the entity will end. We view this occurrence as a white-hat rescue,” the JPEG’d team stated.