A security researcher, known as Marco Croc from Kupia Security, has been awarded $250,000 for identifying a significant vulnerability in the decentralized finance (DeFi) protocol Curve Finance. This vulnerability, historically exploited by hackers to siphon off millions of dollars from cryptocurrency protocols, was discovered to be a reentrancy vulnerability.
In a detailed explanation shared on an X thread, Marco Croc outlined how the bug could be leveraged to manipulate balances and withdraw funds from liquidity pools within the Curve Finance protocol. Recognizing the severity of the vulnerability, Curve Finance conducted a thorough investigation and subsequently awarded Marco Croc the maximum bug bounty amount.
Big thanks for the disclosure! Grieving attacks are not as dangerous (funds would be anyway recoverable, and no profit for attacker) – could have caused serious panic if happened.
This is an example of a very professional work
— Curve Finance (@CurveFinance) April 30, 2024
Although Curve Finance classified the threat as “not as dangerous” and expressed confidence in recovering any stolen funds, they acknowledged the potential for serious panic if a security incident were to occur. This recognition comes as Curve Finance recently recuperated from a $62 million hack in July, during which they resolved to reimburse $49.2 million worth of assets to liquidity providers (LPs).
Just wanted to emphasize the scale of this. Victims are made whole with this vote with:
– $7.2M worth of ETH recovered by whitehats to the DAO being distributed
– $42M worth of CRV compensating unrecovered parts (vested)
– Other whitehat-recovered funds distributed before vote https://t.co/qmcK9pmTe5— Curve Finance (@CurveFinance) December 22, 2023
On-chain data confirms that the disbursement of tokens, totaling over $49.2 million, to cover losses incurred by the Curve, JPEG’d (JPEG), Alchemix (ALCX), and Metronome (MET) pools was approved by 94% of tokenholders. The community fund will supply the Curve DAO (CRV) tokens, with the final amount also factoring in deductions for tokens recovered since the incident.
The attacker exploited a vulnerability in stable pools utilizing certain versions of the Vyper programming language. Versions 0.2.15, 0.2.16, and 0.3.0 of Vyper were found to be susceptible to reentrancy attacks, enabling the exploit to occur
