Curve Finance awards $250K for re-entry exposure
A security researcher has been awarded $250,000 for discovering a vulnerability that historically allowed hackers to withdraw millions of dollars from cryptocurrencies.
Anonymous cyber security researcher Marco Kroc has identified a re-entry vulnerability in Curve Finance from Cupia Security's decentralized finance (DeFi) protocol.
In X thread, he explained how it can be used to manage balances and withdraw funds from liquid pools.
Curve Finance acknowledges the potential security flaws and “recognizes the severity of the vulnerability,” Marco Kroc explained. After a thorough investigation, Curve Finance awarded Marco Kroc the highest bug bounty of $250,000.
According to Curve Finance, the threat was classified as “non-hazardous” and they believed they could recover the stolen funds in this case.
However, the protocol states that a security breach at any level “could have caused serious terror”.
RELATED: Curve Finance Debt Will Cause ‘One More Stress Test' In February – Analyst
Curve Finance recently recovered from a $62 million hack in July. As part of the return to normalcy, the DeFi protocol has voted to return $49.2 million worth of assets to Liquidity Providers (LPs).
On-chain data confirms that 94% of token holders have approved more than $49.2 million worth of tokens to cover the losses of the Curve, JPEG'd (JPEG), Alchemix (ALCX) and Metronome (MET) pools.
According to Curve's proposal, the community fund will issue Curve DAO (CRV) tokens. The final amount also includes a discount for tokens recovered after the crash.
“The total ETH for recovery is 5919.2226 ETH, the CRV is calculated to 34,733,171.51 CRV, and the total for distribution is 55'544'782.73 CRV,” the proposal said.
The attacker exploited the vulnerability in stable pools using some version of the Vyper programming language. The bug made Vyper's 0.2.15, 0.2.16 and 0.3.0 versions vulnerable to re-entry attacks.
Magazine: 68% of Runes Are in the Red – Are They Really an Update for Bitcoin?
