In the recent hack on decentralized finance (DeFi) protocol Curve Finance, a white hat hacker managed to steal around 2,879 Ether, valued at approximately $5.4 million. However, this ethical hacker chose to return the stolen assets to Curve Finance, demonstrating the role of "white hat" hackers in safeguarding the crypto ecosystem. The exploit occurred on July 30 and affected multiple stable pools on Curve Finance, resulting in an estimated loss of around $47 million for the protocol. The vulnerability was attributed to a faulty reentrancy lock present in Various versions of the Vyper programming language, highlighting the importance of secure coding practices in DeFi protocols.
The intervention of the ethical hacker, operating under the username "c0ffeebabe.eth," proved crucial in protecting nearly 3,000 ETH against malicious actors. The hacker utilized front-end bots to secure the funds, which were then returned to the Curve deployer address, believed to be the legitimate custodian. However, amid the aftermath of the hack, there were reports of fake refund schemes being promoted by Twitter accounts impersonating Curve Finance and victims of the attack. As of now, the official Curve Finance account has not issued any refund plans.
In a parallel incident, the BNB smart chain also faced copycat attacks due to the same Vyper vulnerability. Blockchain security firm BlockSec reported three breaches resulting in approximately $73,000 being stolen. These attacks put additional strain on the DeFi ecosystem, raising concerns about the security measures employed by various protocols. In response to the growing cybersecurity threats, the US Securities and Exchange Commission (SEC) introduced new rules mandating timely disclosure of significant cyberattacks involving US-listed companies. The rule aims to enhance transparency and strengthen cybersecurity risk management practices in the financial industry.
