Curve Finance awards dev $250k for finding reentrancy vulnerability
A security researcher was rewarded $250,000 for discovering a vulnerability that has historically allowed hackers to pull out millions of dollars from cryptocurrency protocols.
Pseudonymous cybersecurity researcher Marco Croc from Kupia Security identified a reentrancy vulnerability in decentralized finance (DeFi) protocol Curve Finance.
In an X thread, he explained how the bug could be exploited to manipulate balances and withdraw funds from liquidity pools.
Curve Finance acknowledged potential security flaws and “recognized the severity of the vulnerability,” Marco Croc explained. After a thorough investigation, Curve Finance awarded Marco Croc its maximum bug bounty award of $250,000.
According to Curve Finance, the threat was classified as “not as dangerous,” and they believed they could recover the stolen funds in such a case.
However, the protocol said a security incident of any scale “could have caused serious panic if it had happened.”
Related: Curve Finance debt will cause 'one more stress test' in February — Analyst
Curve Finance recently recovered from a $62 million hack in July. As part of returning to normalcy, the DeFi protocol voted to reimburse $49.2 million worth of assets to the liquidity providers (LPs).
On-chain data confirms that 94% of tokenholders approved the disbursement of tokens worth over $49.2 million to cover the losses of the Curve, JPEG’d (JPEG), Alchemix (ALCX) and Metronome (MET) pools.
According to Curve’s proposal, the community fund will supply the Curve DAO (CRV) tokens. The final amount also includes a deduction for the tokens recovered since the incident.
“The overall ETH ( ETH ) to recover was calculated as 5919.2226 ETH, the CRV to recover was calculated as 34,733,171.51 CRV and the total to distribute was calculated as 55’544’782.73 CRV,” reads the proposal.
The attacker exploited a vulnerability on stable pools using some versions of the Vyper programming language. The bug made Vyper’s 0.2.15, 0.2.16 and 0.3.0 versions vulnerable to reentrancy attacks.
Magazine: 68% of Runes are in the red — Are they really an upgrade for Bitcoin?
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Rally mode: BTC hits $100K, ETH catches a bid
Risk appetite returns on merger, trade news — but can it last?
FTC backs DOJ’s plan to expose Google’s search data to rivals
Share link:In this post: The U.S. FTC supports the DOJ’s proposal to force Google to share search data with competitors. Google argues that the plan undermines intellectual property, exposes trade secrets, and endangers user privacy. DOJ also wants Google to sell off Chrome and stop paying Apple as the default search engine.
Lido unveils Dual Governance plan to give stETH holders a voice in protocol decisions
Share link:In this post: Lido has published the proposal for its Dual Governance mechanism which will give staked ETH holders a voice in DAO decisions. Although the date of implementation remains unknown, the upgrade which is years in the making is generating excitement. LDO is up more than 8% over the last 24 hours but is still struggling in yearly returns.
Samourai Wallet case prosecutors deny violating the Brady Rule
Share link:In this post: Samourai Wallet case prosecutors have denied withholding exculpatory evidence, violating the Brady rule. The prosecutors want the judge to deny the defense’s request for a late hearing on the issue. The prosecutors added that the input of the interviewed personnel was their personal input and will not have an effect on the case.
Trending news
MoreCrypto prices
More
