Curve Finance Rewards Dev $250K for Vulnerability Discovery

As a crypto investor who’s been around for a while, I’ve seen my fair share of ups and downs in the DeFi space. The recent discovery of a significant vulnerability in Curve Finance by cybersecurity expert Marco Croc, aka @malicator, has certainly caught my attention.

Marco Croc, who goes by the alias of a cybersecurity expert, uncovered a major issue in the Curve Finance decentralized finance system. Known as “reentrancy,” this vulnerability has historically enabled hackers to siphon off large sums from cryptocurrency platforms.

In a comprehensive post on an online discussion platform, Marco Croc elaborated on the potential misuse of this glitch, enabling users to tamper with account balances and extract funds from Curve Finance’s liquidity pools.

I acknowledge the gravity of the issue that was brought to our attention by Marco Croc. In appreciation for his diligent work in uncovering this vulnerability, we are pleased to reward him with a bug bounty of $250,000 – the highest amount we offer at Curve Finance.

I’m pleased to announce that I discovered a vulnerability in Curve Finance and have received a reward of $250,000 as part of their bug bounty program.

— Marco Croc (@malicator) April 30, 2024

Recognizing the risk of panic should funds be stolen, Curve Finance acknowledged the need to find a solution to recover those funds.

I’m glad we got this clarification. I can assure you that grieving attacks, while disruptive, aren’t as menacing as they may seem. My funds would remain secure and recoverable, so no profit would be gained by the attacker. This transpired peace of mind is invaluable, as it could have otherwise instigated unnecessary panic within the crypto community. Your diligent work in addressing this matter is greatly appreciated.

— Curve Finance (@CurveFinance) April 30, 2024

After the $62 million hack on Curve Finance in July, this finding emerged. In order to resume regular activities, the Decentralized Finance (DeFi) platform chose to compensate LPs for a loss of approximately $49.2 million in assets.

According to the data recorded on the blockchain, approximately 94% of token owners gave their approval for the distribution of tokens to compensate for the damages incurred in different affected pools due to the recent hack.

As a token analyst, I would recommend paraphrasing the statement as follows: I suggest using the Curve DAO (CRV) tokens from the community reserve for the recovery plan. Any previously recovered tokens will be taken into account and adjusted accordingly.

A reentrancy vulnerability in certain editions of Vyper (specifically versions 0.2.15, 0.2.16, and 0.3.0) was exploited by the attacker, putting the security of stable pools at risk.

Read More

2024-05-01 16:20