Curve Finance, a decentralized finance (DeFi) platform, has announced its intention to reimburse users who suffered losses of $62 million in a recent hack. In an official statement on its X (formerly Twitter) account, the platform indicated that the ongoing investigation into The incident is making progress, and about 79% of the funds have been successfully recovered. Curve Finance also pledged to assess compensation for each affected user on an individual basis, aiming for a fair distribution of resources.
The hack occurred on July 30 and involved exploiting a vulnerability in Curve Finance's Vyper compiler release history. The attacker specifically targeted versions 0.2.15 to 0.3.0 of the Vyper compiler. Cybersecurity experts have noted that identifying such vulnerabilities demand significant expertise and resources. A contributor to Vyper stated that the attack was likely premeditated weeks prior to its execution. The exploit impacted various pools, including CRV/ETH, alETH/ETH, msETH/ETH, and pETH/ETH. There are also concerns that triple-crypto pool the s on the Arbitrum network could potentially be vulnerable to similar exploits.
The aftermath of the hack has raised awareness of a challenge in the emerging cryptocurrency space: the lack of proper incentives to detect vulnerabilities in previous software iterations. Hackers enticed individuals responsible for the attack with a 10% bounty, which was accepted , and they subsequently began returning the stolen funds. As of the time of writing, the total value of the returned funds was 4,821 ether, equivalent to around $8,891,578, according to Etherscan data.
