Alchemix reports that all misappropriated funds from Curve pools have been returned
After collecting almost $7 million in bug rewards, the hacker began repaying stolen cash. Alchemix and JPEGd had received their money back.
The Curve finance hacker has returned all monies taken from the lending site Alchemix. Alchemix’s alETH-ETH pool lost $13.6 million alone in the assault on July 30, which stole a total of nearly $61 million from cryptocurrency exchanges.
In addition to Alchemix, the pETH-ETH pool for JPEGd witnessed withdrawals of $11.4 million and the sETH-ETH pool for Metronome had outflows of almost $1.6 million. The hacker carried out reentrancy attacks on Curve Finance stable pools written in insecure versions of the Vyper programming language.
Once the hacker accepted the bug bounty offer, the money began to be returned. On August 3, Curve, Metronome, and Alchemix launched a cooperative effort to retrieve the stolen assets, with each company giving a 10% bounty of the seized funds as a prize and pushing the perpetrators of the exploit to return the other 90%, which would bring the total payout to close to $7 million.
The attacker apparently wrote a statement meant for the Alchemix and Curve teams, saying that they were prepared to repay the money but would not do so if doing so would “ruin” the projects.
The hacker has returned 5,495 Ether, and the nonfungible token protocol JPEG’d has been reimbursed as well. As part of the reward, the protocol has promised not to prosecute anybody responsible.