A cybersecurity expert, known as Marco Croc, has been rewarded with a generous sum of $250,000 after discovering a vulnerability in the Curve Finance decentralized finance (DeFi) protocol. This vulnerability has been historically exploited by hackers to extract millions of dollars from cryptocurrency protocols.
Marco Croc, who works for Kupia Security, identified a reentrancy vulnerability in Curve Finance and explained how this bug could be used to manipulate balances and withdraw funds from liquidity pools. Upon investigating the issue, Curve Finance recognized the severity of the vulnerability and decided to award Marco Croc the maximum bug bounty of $250,000.
Despite classifying the threat as “not as dangerous,” Curve Finance acknowledged that any security incident, regardless of scale, could have caused significant panic. This is particularly relevant as the protocol recently experienced a $62 million hack in July.
To rectify the situation and restore normalcy, the DeFi protocol voted to reimburse $49.2 million worth of assets to the liquidity providers. On-chain data shows that 94% of tokenholders approved this disbursement, which covers the losses of various pools, including Curve, JPEG’d, Alchemix, and Metronome.
The proposal put forth by Curve states that the community fund will supply Curve DAO (CRV) tokens. The proposed amount also takes into account the tokens that have been recovered since the incident. The calculated figures for the recovery include 5919.2226 ETH, 34,733,171.51 CRV, and a total distribution of 55,544,782.73 CRV.
The attacker exploited a vulnerability in stable pools using certain versions of the Vyper programming language. Specifically, versions 0.2.15, 0.2.16, and 0.3.0 of Vyper were susceptible to reentrancy attacks.
In other news, a recent analysis reveals that 68% of Runes, a type of cryptocurrency, are currently in the red. This raises questions about whether Runes are truly an upgrade for Bitcoin.