Curve Finance awards dev $250k for finding reentrancy vulnerability
A security researcher was rewarded $250,000 for discovering a vulnerability that has historically allowed hackers to pull out millions of dollars from cryptocurrency protocols.
Pseudonymous cybersecurity researcher Marco Croc from Kupia Security identified a reentrancy vulnerability in decentralized finance (DeFi) protocol Curve Finance.
In an X thread, he explained how the bug could be exploited to manipulate balances and withdraw funds from liquidity pools.
Curve Finance acknowledged potential security flaws and “recognized the severity of the vulnerability,” Marco Croc explained. After a thorough investigation, Curve Finance awarded Marco Croc its maximum bug bounty award of $250,000.
According to Curve Finance, the threat was classified as “not as dangerous,” and they believed they could recover the stolen funds in such a case.
However, the protocol said a security incident of any scale “could have caused serious panic if it had happened.”
Related: Curve Finance debt will cause 'one more stress test' in February — Analyst
Curve Finance recently recovered from a $62 million hack in July. As part of returning to normalcy, the DeFi protocol voted to reimburse $49.2 million worth of assets to the liquidity providers (LPs).
On-chain data confirms that 94% of tokenholders approved the disbursement of tokens worth over $49.2 million to cover the losses of the Curve, JPEG’d (JPEG), Alchemix (ALCX) and Metronome (MET) pools.
According to Curve’s proposal, the community fund will supply the Curve DAO (CRV) tokens. The final amount also includes a deduction for the tokens recovered since the incident.
“The overall ETH ( ETH ) to recover was calculated as 5919.2226 ETH, the CRV to recover was calculated as 34,733,171.51 CRV and the total to distribute was calculated as 55’544’782.73 CRV,” reads the proposal.
The attacker exploited a vulnerability on stable pools using some versions of the Vyper programming language. The bug made Vyper’s 0.2.15, 0.2.16 and 0.3.0 versions vulnerable to reentrancy attacks.
Magazine: 68% of Runes are in the red — Are they really an upgrade for Bitcoin?
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
XRP’s 16-Day $3 Surge Sparks Hopes of Breaking All-Time Highs
Trump turns on ‘buddy’ Putin over Ukraine, says he’ll slap Russia with sanctions now
Share link:In this post: Trump warned he may hit Russia with new sanctions after fresh missile attacks on civilians. Trump met with Zelenskyy in Rome and called the meeting productive, but gave no full details. Trump offered a peace deal that includes recognizing Crimea as Russian territory, which Zelenskyy rejected.
Trump’s economic and geopolitical failures took center stage at Pope Francis’ funeral
Share link:In this post: Trump’s economic and diplomatic tensions took over the spotlight at Pope Francis’ funeral. Trump met briefly with Zelenskyy, Macron, and Starmer during the service but made little progress. Trump skipped a second meeting with Zelenskyy and left Rome quickly after the Mass.
Elon Musk and Nobel laureates call for investigation into OpenAI’s nonprofit mission
Share link:In this post: Elon Musk called OpenAI restructuring plan the “scam of the century” after experts oppose it. Legal and AI experts have called on Attorneys General of Delaware and California to OpenAI core mission as a non-profit. Concerns about Open AI deviating from its non-profit origins is not limited to Musk.
Trending news
MoreCrypto prices
More
