JPEG'd, a Decentralized Finance (DeFi) protocol that integrates Non-Fungible Tokens (NFTs), has confirmed the return of 5,495 ETH, equivalent to about $10 million at current prices. This amount had been stolen during the Curve Finance hack on July 30. The hackers, who orchestrated the hack, were rewarded with a bounty of 610.6 ETH, which amounts to approximately $1.1 million. The JPEG'd protocol, which allows users to borrow funds against their collateralized NFTs, lost around $11.6 million in cryptocurrency during the Curve hack.
In an August 4 announcement on X (formerly Twitter), the JPEG'd team reported that the stolen funds had been returned to the JPEG DAO multising wallet address. They explicitly stated that no further legal actions or investigations would be pursued against the hackers and classified the incident as a "white hat rescue," indicating that the hackers' intention was to highlight vulnerabilities for the greater good.
The hack affected various projects within the DeFi ecosystem that were built on Curve Finance, such as decentralized exchange Ellipsis, lending platform Alchemix, and the Metronome synthesis protocol. This exploitation stemmed from a security vulnerability in the Vyper smart contract programming language used in the mining pool. The combined loss across these projects amounted to around $70 million worth of cryptocurrency.
To recover the stolen funds, Curve Finance, Metronome, and Alchemix initiated a joint effort. They proposed a deal to the hackers offering a 10% bounty and assurance of no legal repercussions if the hackers returned the remaining 90% of the funds. In response , the hackers agreed to this arrangement within 24 hours and began returning the stolen assets to various projects. Besides returning funds to JPEG'd, the hackers also restored 4,820.55 Alchemix ETH (alETH) worth approximately $8.8 million to the Alchemix Finance team and returned 1 ETH, approximately $1,829, to the Curve Finance team.
