Curve is offering a $1.85 million bounty to anyone who can accurately identify the DeFi protocol’s exploiter in a way that leads to definitive legal repercussions.
“The deadline for the voluntary return of funds in the Curve exploit passed at 0800 UTC,” Curve publicly wrote in an Ethereum transaction’s input data, adding: “We now extend the bounty to the public, and offer a reward valued at 10% of remaining exploited funds (currently $1.85M USD) to the person who is able to identify the exploiter in a way that leads to a conviction in the courts.”
Curve also noted that it would not pursue the issue if the exploiter returns the funds in full, and shared the full message on X (formerly Twitter).
Curve exploiter: ‘I’m smarter than all of you’
Over $61 million was drained from Curve’s pools on July 30 after an exploiter utilized vulnerable versions of the Vyper programming language to execute reentrancy attacks on targeted stable pools.
The attacker returned stolen crypto to projects Alchemix and JPEGd after being offered a 10% bug bounty, but did not refund other exploited pools.
“I want to clarify that I’m refunding you not because you can find me, it’s because I don’t want to ruin your project,” they explained in a transaction, adding: “Maybe it’s a lot of money for a lot of people, but not for me, I’m smarter than all of you.”
© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.