Following a software bug exploited on July 30 that led to a loss of over $70 million in digital assets, Curve Finance is offering a $1.85 million reward for help in identifying the perpetrator, provided it results in a lawful conviction.

The decentralized finance (DeFi) protocol, Curve Finance, fell victim to a software bug exploit on July 30, resulting in a loss of more than $70 million in various digital assets. The attacker took advantage of vulnerable versions of the Vyper programming language, performing re-entrancy attacks on select Curve liquidity pools. Curve Finance is seen as a structurally significant decentralized exchange in the DeFi landscape, with $3 billion in liquidity, particularly in the stablecoin swap markets.

On August 3, Curve and other affected protocols proposed a 10% bug bounty to the infiltrator, amounting to over $6 million. Some of the misappropriated assets were returned to Alchemix and JPEGd, but not the other impacted pools. According to PeckShield, as of Monday, 73% of the stolen funds (worth about $52.3 million) have been returned.

The attacker issued an on-chain message asserting that their decision to return the stolen assets was motivated by a desire not to inflict additional damage on the involved projects and claimed they are smarter than the affected projects' teams.

Curve's CRV governance token has fallen over 6% in the last seven days, trading at $0.61. Following the attack, it briefly dropped below $0.50 due to concerns about potential en masse liquidation of CRV collateral used on DeFi lending platforms.



