TL: DR Breakdown
- Hacker’s change of heart sparks positive resolution in $61M DeFi exploit.
- Collective response and bounty offer lead to quick recovery of stolen funds.
- An unpredictable ethical dilemma unfolds in Alchemix and Curve Finance breach.
Alchemix, the popular lending platform, has announced the full recovery of stolen funds from a recent exploit on Curve Finance. The unexpected breach, which took place on July 30th, saw cryptocurrencies worth over $61 million being siphoned off, profoundly impacting Alchemix’s alETH-ETH pool by approximately $13.6 million.
Hacker Seizes Opportunity, Yet Shows a Change of Heart
Moreover, it wasn’t just Alchemix that faced the brunt. JPEGd’s pETH-ETH pool and Metronome’s sETH-ETH pool suffered losses of $11.4 million and over $1.6 million, respectively. Significantly, the hacker exploited Curve Finance by targeting reservoirs that utilized vulnerable versions of the Vyper programming language, implementing reentrancy attacks.
We are extremely happy to announce that all funds stolen by the hacker of the Alchemix @CurveFinance pool have now been returned.
Full post mortem coming.
— Alchemix (@AlchemixFi) August 5, 2023
However, the tables began to turn rapidly when Curve, Alchemix, and Metronome rolled out an initiative on August 3rd, urging the perpetrator to return 90% of the stolen funds. Consequently, the entities offered a whopping 10% bounty, almost $7 million.
Less than a day after the bounty announcement, the original attacker started returning the stolen assets. Initially, the hacker returned 4,820.55 Alchemix ETH to the Alchemix Finance team and finally completed the transaction by August 5th.
JPEG’d exploit update:
Seems 5495 ETH was returned just now for a 10% whitehat bounty.
0x003b00378ac52c10200d8fcac0e42138a34e46b9d7c3350ad3372ae0eb141df3
Michael Razum is not the exploiter but was linked on-chain bc a few of his contracts were drained by this person. pic.twitter.com/mc3GGx2gyd
— ZachXBT (@zachxbt) August 4, 2023
Additionally, an on-chain message from the hacker to the Alchemix and Curve teams read, “I’m refunding not because you can find me, it’s because I don’t want to ruin your project.” Hence, it becomes evident that the motive was not purely financial but involved a more profound ethical dilemma.
A White-Hat Rescue: JPEG’d React Positively
Furthermore, JPEG’d, the nonfungible token protocol, confirmed that the hacker returned 5,495 Ether, approximately equivalent to $10 million. The hacker was rewarded with a 610.6 ETH bounty in return for this act. JPEG’d, known for enabling users to secure loans against their NFT collateral, had previously lost $11.6 million in the Curve heist.
Besides Alchemix and JPEG’d, the exploit had left a dent in the portfolios of decentralized exchange Ellipsis, synthetic protocol Metronome, and even Curve Finance itself. Together, these platforms suffered an estimated loss of $70 million in crypto assets.
Yet, with the announcement of the 10% bounty and assurance of no legal action, the hacker appeared to have had a change of heart. In subsequent steps, funds began flowing back to their rightful owners.
In light of these events, the JPEG’d team said, “Any further investigations or legal matters against the entity will end. We view this occurrence as a white-hat rescue.”
In conclusion, while the DeFi ecosystem still reels from the shock of the Curve exploit, the affected platforms’ rapid and collective response and the hacker’s unexpected act provide a glimmer of hope in the often unpredictable world of cryptocurrencies.
