Curve, Metronome and Alchemix offering 10% bug bounty on Vyper hack

cointelegraph.com:

Decentralized finance (DeFi) platforms Curve, Metronome and Alchemix have jointly announced an initiative to recover stolen funds from the recent exploits of Curve’s pools.

According to on-chain data, the protocols are offering a 10% bounty of the stolen funds as a reward, urging those responsible for the exploit to step forward and return the remaining 90%. The exploit on July 30 resulted in the theft of roughly $70 million in cryptocurrencies, which would bring the bounty close to $7 million.

Dear hacker, you've got an incoming messagehttps://t.co/ZKJjrO65PX

The offer comes with a guarantee of no further legal actions or involvement of law enforcement. “We want to resolve this in a civilized manner," says the message included in the transaction.

“You will have no risk of us pursuing this further, no risk of law enforcement issues," the protocols said in a joint statement, adding:

The trio has provided a direct channel for communication via curvenegotiation@protonmail.com and urged the responsible parties to respond immediately. It also emphasized that any individuals reaching out for negotiations must verify their ownership of the email address on-chain.

The attack occurred due to a critical vulnerability in versions of the Vyper programming language. Several pools using Vyper 0.2.15, 0.2.16 and 0.3.0 were targeted by a malfunctioning reentrancy lock, affecting four liquidity pools on Curve Finance.

The security incident has delivered a fresh sense of uncertainty across the crypto community, raising concerns about a possible domino effect on the DeFi ecosystem. Curve Finance’s native stablecoin, crvUSD, briefly depegged on Aug. 3, reacting to the hazy circumstances surrounding the protocol after the exploit.

Magazine: Sho