The July 30 attack on Curve Finance, which resulted in a loss of $61 million worth of crypto, has taken an unexpected turn. The attacker responsible for the attack has returned a significant portion of the stolen funds to the Alchemix Finance team and the Curve Finance team. The returned funds include 4,820.55 Alchemix ETH (alETH), worth around $8,889,118, and 1 Ether (ETH), approximately $1,844.
The attack on the Curve Finance protocol was carried out through a reentrancy bug, which allowed the attacker to exploit multiple pools, including the alETH-ETH pool on Curve. This pool was one of the pools originally targeted by the attacker. Along with the alETH-ETH pool, the JPEG’d pETH-ETH and Metronome sETH-ETH pools were also affected.
A unique aspect of this attack was the involvement of a miner extractable value (MEV) bot. The JPEG’d pool was front-run by this bot, causing the proceeds from the attack to go to the bot instead of the attacker. As a result, the attacker seemingly directed a message to the Alchemix and Curve development teams, expressing their intention to return the funds. However, the attacker’s motive for returning the funds was not because they had been caught, but rather to avoid damaging the projects involved.
Following this message, the attacker initiated the return of the funds. They first returned 1 alETH to the Curve Finance deployer account. Subsequently, within a span of approximately two hours, they made three separate transfers totaling 4,820.55 alETH, all of which were sent to the Alchemix development team multisig wallet. In total, the returned funds amount to approximately $8.9 million or 15% of the total amount drained in the original attack.
Related Post
It is important to note that while a significant portion of the funds has been returned, some funds may have been moved to other addresses and may be subject to separate transactions for their return. Additionally, the MEV bot that front-ran the JPEG’d pool attack may also intend to return the funds. However, as of now, there is no verifiable evidence of the bot returning the funds to any developer account.
The attack on Curve Finance initially estimated the losses to be $47 million but later revised the estimate to $61.7 million. The severity of the attack prompted the emergency multisignature wallet to suspend all rewards for the affected pools on August 2.
Despite the return of a significant portion of the stolen funds, it is worth acknowledging the vulnerabilities that led to such an attack. The reentrancy bug exploited in this attack highlights the importance of rigorous security measures within DeFi protocols. In response to the vulnerabilities exposed by this attack, Curve, Metronome, and Alchemix have taken steps to enhance their security, including offering a 10% bug bounty on Vyper hack.
The return of funds by the attacker is a rare occurrence in the cryptocurrency space. While the motives for the return may not be entirely clear, it does provide some relief to the affected projects and demonstrates the potential for decentralized governance and cooperation within the crypto community. As the investigation into the attack continues, it remains to be seen if additional funds will be returned and if further steps will be taken to prevent similar incidents in the future.
