Decentralized exchange Curve Finance has teamed up with Metronome and Alchemix to offer a 10% bug bounty to the attackers behind the recent exploit that saw more than $50 million siphoned off the platforms’ pools.
According to an on-chain message on one hacker’s Ethereum address, the protocols are willing to cease the pursuit of the case if the attackers return 90% of the stolen funds, keeping 10% for themselves.
Curve, Metronome, and Alchemix Offer Hacker 10% Bounty
Recall that four Curve Finance pools were exploited on July 30. The attackers were able to access the pools using Ethereum Virtual Machine smart contract programming language Vyper through a malfunctioning re-entrancy lock.
The exploit affected decentralized finance protocols like Metronome, Alchemix, and Ellipsis. While the total amount lost due to the hack remains unclear, the losses are estimated to be above $50 million.
Curve, Metronome, and Alchemix have taken steps toward recovering the funds by reaching out to attackers on-chain, promising no risk of law enforcement issues if they comply with the offer. The trio has given the hackers until August 6 to return 90% of the funds, or the bounty would be offered to the public and given to anyone who would identify them.
“If you choose not to partake in the voluntary return and complete the process by August 6 at 0800 UTC, we will expand the bounty to the public, and offer the full 10% to the person who is able to identify you in a way that leads to your conviction in the courts. We will pursue you from all angles with the full extent of the law,” the protocols said.
Roughly $5.4M Returned
The platforms proceeded to provide an email address – for the exploiters to contact them for negotiations as soon as possible. They noted that whoever claims to be the exploiter would need to verify their ownership of the addresses holding the stolen funds before any discussions can take place.
Meanwhile, a white hat hacker named c0ffeebabe.eth already returned 2,879 ETH worth approximately $5.4 million to the protocol deployer address on July 31 after exploiting one of the exchange’s pools to prevent more losses.