Curve Finance Awards Dev $250k for Vulnerability Discovery
2 min readA cybersecurity researcher named Marco Croc has been rewarded with a $250,000 prize for uncovering a flaw in the decentralized finance (DeFi) protocol Curve Finance. This vulnerability had been historically used by hackers to steal millions of dollars from cryptocurrency platforms. Marco Croc, who works for Kupia Security, found a reentrancy vulnerability in Curve Finance that allowed for the manipulation of balances and withdrawal of funds from liquidity pools.
Curve Finance recognized the seriousness of the vulnerability after Croc’s discovery. They conducted a thorough investigation and ultimately awarded him the maximum bug bounty of $250,000. Although Curve Finance believed they could recover any stolen funds, they acknowledged the potential panic that could have occurred if a security incident had taken place on a larger scale. This is particularly notable as Curve Finance had recently recovered from a $62 million hack in July.
As part of their efforts to return to normalcy, Curve Finance made the decision to reimburse $49.2 million worth of assets to the liquidity providers who suffered losses due to the hacking incident. On-chain data revealed that 94% of tokenholders approved the disbursement of tokens to cover the losses of various pools, such as Curve, JPEG’d, Alchemix, and Metronome.
To supply the Curve DAO tokens, the community fund will be used according to Curve Finance’s proposal. The final amount to be distributed takes into account the tokens that have been recovered since the security incident. The proposal outlines that the total ETH to be recovered is 5919.2226 ETH, the CRV to be recovered is 34,733,171.51 CRV, and the total amount to be distributed is 55,544,782.73 CRV.
The attacker exploited a vulnerability in stable pools by using certain versions of the Vyper programming language. Specifically, versions 0.2.15, 0.2.16, and 0.3.0 of Vyper were susceptible to reentrancy attacks. This emphasizes the importance of regularly updating and patching software to avoid security vulnerabilities.
By rewarding Marco Croc for his discovery, Curve Finance has taken an important step towards strengthening their security measures. This incident serves as a reminder of the ongoing need for vigilance and thorough testing within the cryptocurrency industry to protect users’ funds from potential threats.
It’s fantastic to see 94% of tokenholders approving the disbursement of tokens to cover the losses. Curve Finance’s community is standing strong!
So, they had a vulnerability, got hacked, and now they’re rewarding someone for finding it? Seems fishy to me. 🐟
It’s impressive to see the community coming together and approving the disbursement of tokens to cover the losses. Strength lies in unity!
Marco Croc’s discovery is a reminder of the constant threats in the cryptocurrency industry. We should all applaud his efforts and remain vigilant against cyber attacks! 👀💪
So they reward someone for finding a vulnerability they should’ve found themselves? That’s just lazy.
Who’s to say they won’t get hacked again? This doesn’t give me any confidence in their security measures.