A look at the funding flows of key interest groups in the Curve incident

On July 30, due to a recursive lock vulnerability that caused a malfunction in some versions of Vyper (0.2.15, 0.2.16, and 0.3.0), Curve's stablecoin pools alETH/msETH/pETH were attacked. Affected by the attack on some of Curve's stablecoin pools, Alchemix, JPEG'd, Metronome, deBridge, and Ellipsis have currently suffered a cumulative loss of approximately $70 million:

• Alchemix: 7,259 ETH and 4,821 alETH (about $22 million);

• JPEG'd: 6,106 ETH (about $11.4 million);

• Metronome: 866.554 ETH (about 1.6 million US dollars), 955 smETH (about 1.7 million US dollars);

• CRV-ETH pool: 10,500 ETH (about 19.4 million US dollars), 7.19 million CRV (about 4.4 million US dollars).

Affected by the attack, CRV price fell, and the founder’s loan faced liquidation risk

Affected by the attack, on July 31, Curve Finance's total locked volume (TVL) dropped from US$3.266 billion on July 30 to US$1.869 billion, a 24-hour drop of 42.78%, and the CRV price fell by 14.89% in 24 hours.

The falling price of CRV forced Curve founder Michael Egorov's $70 million loan position on Aave to face liquidation risk. In view of this, Egorov sold CRV through OTC in exchange for funds to repay the loan.

Since the start of OTC sales on August 1, as of August 6, Egorov has sold a total of 142.65 million CRV to 30 investors/institutions, in exchange for US$57.06 million.

As of August 6, Egorov still had 269.8 million CRV (approximately US$166 million) pledged on four platforms, with a debt of approximately US$48.7 million.

Attacker returns funds

On July 30, the exploiter coffeebabe.eth returned 786 ETH ($1.45 million) and 955 smETH ($1.74 million) to Metronome, and 2,879 ETH ($5.36 million) to Curve Finance;

On August 3, the Curve Foundation sent an on-chain message to the exploiter, saying that if the attacker returns the remaining 90% before 8:00 a.m. (UTC) on August 6, he will receive 10% of the stolen funds as a bounty;

On August 4, the attacker 0x6ec returned 5495 WETH (US$10 million) to JPEG'd and kept 610 ETH (US$1.1 million) as a 10% bounty; the attacker 0xdce returned 2258 ETH (US$4.15 million) and 4820 alETH (US$8.82 million) to AlchemixFi;

On August 5, 0xdce returned 4,999 ETH (US$9.18 million) to AlchemixFi, all of which have been returned;

As of August 6, 32% of the stolen assets (approximately $18.7 million) have not been returned:

• 80 ETH ($14,700) from MetronomeDAO (custodied by coffeebabe.eth);

• 7,681 ETH ($14.4M) and 7.19M CRV ($4.43M) from the CRV-ETH pool.

As of press time, of the $59.5 million stolen in the Curve Finance Vyper exploit, approximately $40.3 million has been returned, $560,000 has been paid as a bounty to the hacker, and approximately $18.7 million has yet to be returned by the CRV/ETH exploiter (0xb752...b324).

On August 7, Curve Finance tweeted that the deadline for the CRV/ETH vulnerability attacker to voluntarily return the funds has passed, and a bounty reward (currently $1.85 million) will be offered to anyone who provides information leading to the hacker's arrest and conviction.