A security researcher recently received a $250,000 reward for uncovering a critical vulnerability in the Curve Finance decentralized finance (DeFi) protocol.
This flaw had previously enabled cybercriminals to steal millions from various cryptocurrency systems.
The vulnerability, identified by Marco Croc, a cybersecurity expert from Kupia Security, involved a reentrancy issue that could have been exploited to tamper with balances and withdraw unauthorized funds from liquidity pools.
Marco Croc detailed his findings in a series of posts on X, explaining the potential risks and manipulations possible due to the bug.
Curve Finance swiftly responded to the disclosure, conducting a comprehensive investigation into the matter.
They acknowledged the significant threat posed by the vulnerability and consequently awarded Marco Croc the highest possible bounty of $250,000 for his critical input.
“Curve Finance recognized the severity of the vulnerability,” Marco Croc said, highlighting the importance of the protocol’s quick action.
Despite the protocol’s assessment that the vulnerability was “not as dangerous,” with confidence in their ability to recover any potentially stolen funds, Curve Finance admitted that the occurrence of such a security incident could have led to widespread panic within the community.
This acknowledgment comes in the wake of Curve Finance’s recovery from a massive $62 million hack in July.
In an effort to mitigate the impact on their users, Curve Finance and its community took significant steps towards compensation.
The protocol decided to reimburse $49.2 million worth of assets to affected liquidity providers (LPs).
This decision was backed by an overwhelming majority of tokenholders, with 94% approving the disbursement to cover losses across several pools including Curve, JPEG’d (JPEG), Alchemix (ALCX), and Metronome (MET).
The compensation proposal detailed the amounts to be recovered and redistributed: “The overall ETH to recover was calculated as 5919.2226 ETH, the CRV to recover was calculated as 34,733,171.51 CRV and the total to distribute was calculated as 55’544’782.73 CRV.”
The attacker had exploited a bug in certain versions of the Vyper programming language, which rendered versions 0.2.15, 0.2.16, and 0.3.0 susceptible to reentrancy attacks.
This incident underlines the persistent threats in the DeFi space and the continuous need for rigorous security measures.
To submit a crypto press release (PR), send an email to sales@cryptointelligence.co.uk.