Curve Finance Rewards Security Researcher $250,000 for Uncovering Critical Vulnerability

05/01/2024 19:33
Curve Finance Rewards Security Researcher $250,000 for Uncovering Critical Vulnerability

Popular DeFi protocol Curve Finance has awarded a security researcher $250,000 for discovering a critical vulnerability.

Ruholamin Haqshanas

Last updated: | 2 min read

Curve Finance Rewards Security Researcher $250,000

Popular decentralized finance (DeFi) protocol Curve Finance has awarded a security researcher $250,000 for discovering a critical vulnerability that has historically enabled hackers to siphon off millions of dollars from cryptocurrency protocols. 

The researcher, known as Marco Croc from Kupia Security, identified a reentrancy vulnerability in Curve Finance and elaborated on the bug’s potential for manipulating balances and withdrawing funds from liquidity pools.

Acknowledging the severity of the vulnerability, Curve Finance conducted a thorough investigation and subsequently granted Marco Croc the maximum bug bounty award

Curve Finance Incentivizes White Hat Hacking


Even though the threat was categorized as “not as dangerous,” the protocol said they recognized the potential panic that could have ensued had a security incident occurred. 

With this reward, Curve Finance aims to incentivize responsible security research and strengthen its defenses against potential exploits.

This development comes in the wake of Curve Finance’s recovery from a $62 million hack in July. 

As part of the protocol’s restoration efforts, it recently voted to reimburse $49.2 million worth of assets to liquidity providers (LPs). 

The disbursement was approved by 94% of tokenholders, covering losses incurred in the Curve, JPEG’d (JPEG), Alchemix (ALCX), and Metronome (MET) pools.

Just wanted to emphasize the scale of this. Victims are made whole with this vote with:
– $7.2M worth of ETH recovered by whitehats to the DAO being distributed
– $42M worth of CRV compensating unrecovered parts (vested)
– Other whitehat-recovered funds distributed before vote https://t.co/qmcK9pmTe5

— Curve Finance (@CurveFinance) December 22, 2023

The reimbursement plan involves the use of Curve DAO (CRV) tokens from the community fund. 

It also accounts for tokens recovered since the incident, resulting in a final distribution of 55,544,782.73 CRV. 

The Ethereum (ETH) and CRV amount to be recovered were calculated as 5,919.2226 ETH and 34,733,171.51 CRV, respectively.

The vulnerability exploited by the attacker targeted stable pools and affected specific versions of the Vyper programming language. 

Versions 0.2.15, 0.2.16, and 0.3.0 of Vyper were found to be susceptible to reentrancy attacks, which the attacker leveraged to carry out unauthorized fund withdrawals.

April Records Lowest Crypto Hack Losses


The cryptocurrency industry experienced a major downturn in combined losses from hacks and scams in April.

The month saw the lowest combined losses from crypto-related hacks and scams since 2021, with approximately $25.7 million lost to exploits, hacks, and scams.

More specifically, only $25.7 million was lost in attacks throughout the month, marking the lowest amount since CertiK began tracking such data in 2021.

Flash loan attacks accounted for $129,000 in losses, with the largest incident causing $55,000 in damages. 

This marked the lowest incidence of flash loan attacks since February 2022, and $4.3 million was lost to exit scams.

As reported, the first quarter of this year has seen $336 million lost to Web3 hackers and fraud, with nearly half of the capital stolen in January alone. 

Nonetheless, the number represents a 23% decrease compared to the first quarter of 2023.

It is also worth noting that $73,885,000 has been recovered from stolen Web3 capital in 7 specific situations.

Read more --->