A security researcher has been awarded a $250,000 bounty after discovering a vulnerability in the Curve Finance decentralized finance (DeFi) protocol, which in the past allowed hackers to withdraw millions of dollars.
Cyber-security expert Marco Croc from Kupia Security discovered and explained how to exploit this bug to manipulate balances and withdraw funds from the liquidity pool. Curve Finance acknowledged the vulnerability and, after a thorough investigation, awarded Marco Croc the maximum bug bounty of $250,000.
According to Curve Finance, the threat was classified as “not dangerous” and they believe they could recover the stolen funds in such a case.
Curve Finance recently recovered from a $62 million hack in July. As part of getting back to normal, the DeFi protocol voted to reimburse $49.2 million worth of assets to liquidity providers (LPs).
On-chain data confirms that 94% of token holders approved the disbursement of tokens worth over $49.2 million to make up for the losses of the Curve, JPEG’d, Alchemix, and Metronome pools.
As per Curve’s proposal, the community fund will provide Curve DAO tokens (CRV), including deductions for the tokens recovered from the incident. The total ETH to be recovered is 5919.2226 ETH, and the CRV to be recovered and distributed is 34,733,171.51 CRV and 55,544,782.73 CRV, respectively.
The attacker exploited the vulnerability on the stablecoin pools by using versions of the Vyper programming language (0.2.15, 0.2.16, and 0.3.0), creating a risk of a rollback attack.
