Curve Finance awards dev $250k for finding reentrancy vulnerability
A security researcher was rewarded $250,000 for discovering a vulnerability that has historically allowed hackers to pull out millions of dollars from cryptocurrency protocols.
Pseudonymous cybersecurity researcher Marco Croc from Kupia Security identified a reentrancy vulnerability in decentralized finance (DeFi) protocol Curve Finance.
In an X thread, he explained how the bug could be exploited to manipulate balances and withdraw funds from liquidity pools.
Curve Finance acknowledged potential security flaws and “recognized the severity of the vulnerability,” Marco Croc explained. After a thorough investigation, Curve Finance awarded Marco Croc its maximum bug bounty award of $250,000.
Source: Curve FinanceAccording to Curve Finance, the threat was classified as “not as dangerous,” and they believed they could recover the stolen funds in such a case.
However, the protocol said a security incident of any scale “could have caused serious panic if it had happened.”
Related: Curve Finance debt will cause 'one more stress test' in February — Analyst
Curve Finance recently recovered from a $62 million hack in July. As part of returning to normalcy, the DeFi protocol voted to reimburse $49.2 million worth of assets to the liquidity providers (LPs).
Source: Curve FinanceOn-chain data confirms that 94% of tokenholders approved the disbursement of tokens worth over $49.2 million to cover the losses of the Curve, JPEG’d (JPEG), Alchemix (ALCX) and Metronome (MET) pools.
According to Curve’s proposal, the community fund will supply the Curve DAO (CRV) tokens. The final amount also includes a deduction for the tokens recovered since the incident.
“The overall ETH ( ETH ) to recover was calculated as 5919.2226 ETH, the CRV to recover was calculated as 34,733,171.51 CRV and the total to distribute was calculated as 55’544’782.73 CRV,” reads the proposal.
The attacker exploited a vulnerability on stable pools using some versions of the Vyper programming language. The bug made Vyper’s 0.2.15, 0.2.16 and 0.3.0 versions vulnerable to reentrancy attacks.
Magazine: 68% of Runes are in the red — Are they really an upgrade for Bitcoin?
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Chainlink ‘god candle’ appears as LINK price soars 27% in 24 hours
South Korea's martial law is the first since 1980
British government: will "closely monitor" the situation in South Korea
CryptoQuant founder Ki Young Ju says he will delete his previous tweet asking for help from Musk