Curve hacker behind $61M heist begins returning funds

Graphics Card Deals

The attacker behind the $61 million July 30 Curve Finance assault has returned 4,820.55 Alchemix ETH (alETH), price roughly $8,889,118, to the Alchemix Finance staff and 1 Ether (ETH), roughly $1,844, to the Curve Finance staff. The Alchemix Finance protocol alETH-ETH pool on Curve is likely one of the swimming pools initially exploited.

The Curve Finance protocol was attacked through a reentrancy bug on July 30, and over $61 million worth of crypto was lost in the attack. The exploit affected the Alchemix Finance alETH-ETH, JPEG’d pETH-ETH and Metronome sETH-ETH pools. The JPEG’d pool, in particular, was front-run by a miner extractable value (MEV) bot, causing the proceeds from the attack to go to the bot instead of the attacker. The emergency mutisignature wallet suspended all rewards for affected pools on Aug. 2.

Total losses for the exploit were originally estimated at $47 million, but were later updated to $61.7 million.

On Aug. 4, at 3:45 pm UTC, the attacker posted a message on the Ethereum community, seemingly directed on the Alchemix and Curve improvement groups. In it, the attacker claimed they’d return the funds, however solely as a result of they didn’t wish to “break” the tasks concerned, not as a result of the attacker had gotten caught.

Related articles

At 11:16 am UTC, the attacker returned 1 alETH to the Curve Finance deployer account. Roughly two hours later, they made three separate transfers including as much as 4,820.55 alETH, which had been all despatched to the Alchemix improvement staff multisig pockets.

Associated: Curve, Metronome and Alchemix providing 10% bug bounty on Vyper hack

The full returned funds add as much as roughly $8.9 million price of cryptocurrency. Because the authentic assault was for over $61 million, these returned funds signify roughly 15% of the full quantity drained. Nonetheless, some funds might have been moved to different addresses and could also be returned in separate transactions.

The MEV bot that front-ran the JPEG’d pool assault might also search to return funds. After transferring the funds to a separate deal with, it posted a message at 6:47 am UTC that implied its proprietor was attempting to barter with the builders via electronic mail.

Nonetheless, the funds from the bot have to date not been returned to any verifiable developer account.