Curve Finance awarded the maximum bug bounty of $250,000 to cybersecurity researcher Marco Croc after thoroughly investigating the vulnerability. A security researcher has been rewarded $250,000 for discovering a vulnerability that has allowed hackers to siphon millions of dollars from crypto protocols in the past.
Pseudonymous cybersecurity researcher Marco Croc of Kupia Security has identified a reentrant vulnerability in decentralized finance (DeFi) protocol Curve Finance. In an X thread, he explained how the bug could be exploited to manipulate balances and withdraw funds from liquidity pools.
Marco Croc explained that Curve Finance acknowledges potential vulnerabilities and “recognizes the severity of the vulnerability.” After a thorough investigation, Curve Finance awarded Marco Croc the maximum error award of $250,000.
According to Curve Finance, the threat was not classified as “very dangerous” and they believed that they would be able to recover the stolen funds in such a situation. However, the protocol noted that a security incident of any scale “might have created serious panic.”
Curve Finance survived a $62 million hack in July. As part of returning to normalcy, the DeFi protocol voted to compensate liquidity providers (LPs) worth $49.2 million in assets.
On-chain data confirms that 94% of token holders have approved the distribution of over $49.2 million worth of tokens to cover losses of Curve, JPEG’d (JPEG), Alchemix (ALCX), and Metronome (MET) pools.
According to Curve’s proposal, the community fund will provide Curve DAO (CRV) tokens. The final amount includes a deduction for tokens recovered since the incident.
“In total, the recovery of ETH 2,887 was calculated to be 5919.2226 ETH, the CRV to be recovered was calculated to be 34,733,171.51 CRV, and the total to be distributed was calculated to be 55,544,782.73 CRV,” the proposal states.
The attacker exploited a vulnerability in stable repositories using some versions of the Vyper programming language. The bug made Vyper versions 0.2.15, 0.2.16 and 0.3.0 vulnerable to reentrant attacks.
You can also freely share your thoughts and comments about the topic in the comment section. Additionally, don’t forget to follow us on our Telegram, YouTube, and Twitter channels for the latest news and updates.