In an act of ethical hacking, an MEV bot operator bearing the ENS name ‘c0ffeebabe.eth’ returned 2,879 ETH (valued at approximately $5.4 million) to Curve Finance. These funds had been diverted from the CRV-ETH liquidity pool during an exploit.

Curve faced a major hack yesterday that took place in two distinct phases. Initially, an estimated $26 million was appropriated due to a reentrancy vulnerability within its factory pools. This adversely impacted multiple projects, including JPEG'd, Metronome, and Alchemix.

This initial attack was succeeded by a second phase wherein 7.1 million CRV ($4.4 million) and 7,680 wrapped ether ($14.37 million) were drained from Curve Finance’s CRV-ETH pool.

Employing MEV bot, the ethical hacker c0ffeebabe.eth was adept enough to front-run a malicious hacker, securing the aforementioned 2,879 ETH during the second phase. This sum was later duly returned by c0ffeebabe.eth to the Curve deployer address, presumably its rightful custodian.

Code vulnerability under scrutiny

The Curve incident was precipitated by a vulnerability in an outdated version of the Vyper programming language that allowed for reentrancy issues in Curve’s smart code. This lapse enabled attackers to siphon off funds from several projects.

Security firm PeckShield estimated that, in light of this vulnerability and the consequent malicious activities, the total assets siphoned from Curve pools amount to an alarming $52 million. However after c0ffeebabe.eth's return, this amount would be estimated at $46.5 million.

Curve Finance’s total value locked (TVL) has suffered a steep descent after the attack. It has dropped from $3.26 billion on July 30 to a $1.74 billion, constituting an almost 46% drop within a 24-hour span, according to data from DefiLlama.