Curve Finance, a popular decentralized finance (DeFi) protocol, has rewarded a security researcher named Marco Croc from Kupia Security with $250,000 for uncovering a critical vulnerability. This vulnerability has previously allowed hackers to steal millions of dollars from cryptocurrency protocols. The vulnerability, known as a reentrancy vulnerability, was found in Curve Finance and could be used to manipulate balances and withdraw funds from liquidity pools. Recognizing the severity of the issue, Curve Finance conducted a thorough investigation and awarded Marco Croc with the maximum bug bounty.
Although the threat was deemed less dangerous, Curve Finance acknowledged the potential panic that could have occurred if a security incident had taken place. The reward is intended to incentivize responsible security research and strengthen the protocol’s defenses against potential exploits. This comes after Curve Finance’s recovery from a $62 million hack in July. As part of the recovery efforts, the protocol recently voted to reimburse $49.2 million worth of assets to liquidity providers.
The reimbursement plan involves using Curve DAO (CRV) tokens from the community fund and covers losses incurred in the Curve, JPEG’d (JPEG), Alchemix (ALCX), and Metronome (MET) pools. The disbursement was approved by 94% of tokenholders, resulting in a final distribution of 55,544,782.73 CRV. The amount of Ethereum (ETH) and CRV to be recovered was calculated as 5,919.2226 ETH and 34,733,171.51 CRV, respectively.
The vulnerability exploited by the attacker targeted stable pools and affected specific versions of the Vyper programming language. Versions 0.2.15, 0.2.16, and 0.3.0 of Vyper were found to be susceptible to reentrancy attacks, which the attacker used to carry out unauthorized fund withdrawals.
In April, the cryptocurrency industry experienced a significant decrease in combined losses from hacks and scams. Only $25.7 million was lost to exploits, hacks, and scams, marking the lowest amount since CertiK began tracking such data in 2021. Flash loan attacks accounted for $129,000 in losses, with the largest incident causing $55,000 in damages. This marked the lowest incidence of flash loan attacks since February 2022. Additionally, $4.3 million was lost to exit scams.
Despite these decreases, the first quarter of this year saw $336 million lost to Web3 hackers and fraud, with nearly half of the capital stolen in January alone. However, this represents a 23% decrease compared to the first quarter of 2023. It is worth noting that $73,885,000 has been recovered from stolen Web3 capital in seven specific situations.