Decentralized finance (DeFi) platform Curve Finance has officially stated its intention to reimburse users impacted by the recent hack resulting in $62 million of losses.
According to an X (formerly Twitter) post from its official account, ongoing investigations are yielding progress, with approximately 79% of the funds successfully recovered. The platform also said it would assess each impacted user for reimbursement.
This assessment aims to ensure an equitable distribution of resources. The incident on July 30 involved malicious actors exploiting vulnerabilities within the release history of Curve Finance’s Vyper compiler.
Quick post-hack update.
While 70% of funds affected by the hack last week are recovered, active investigation with regards to the rest is underway.
In the meantime, we are also working on measuring the respective shares of each affected user with the goal of proper distribution
— Curve Finance (@CurveFinance) August 11, 2023
The individual behind the hack directed their attack at versions 0.2.15 to 0.3.0 of the Vyper compiler. Identifying the vulnerabilities demanded a significant degree of skill and substantial resources, as highlighted by experts in the field.
One contributor to Viper said the attack was likely planned for weeks before execution. Among the pools exploited were CRV/ETH, alETH/ETH, msETH/ETH and pETH/ETH. Furthermore, there is growing concern that the tri-crypto pool on Arbitrum might also have been exploited.
The attack rippled across the entire DeFi ecosystem. A comprehensive examination of the breach underscored an issue within the budding cryptocurrency sector: the absence of proper incentives to identify vulnerabilities in previous software iterations.
A 10% bounty was extended to the individual responsible for the hack, and upon acceptance, the perpetrator started to return the funds. According to Etherscan, at the time of writing, the total value of the funds returned amounted to 4,821 Ether (ETH) or $8,891,578.