Curve Finance awards dev $250k for finding reentrancy vulnerability
A security researcher was rewarded $250,000 for discovering a vulnerability that has historically allowed hackers to pull out millions of dollars from cryptocurrency protocols.
Pseudonymous cybersecurity researcher Marco Croc from Kupia Security identified a reentrancy vulnerability in decentralized finance (DeFi) protocol Curve Finance.
In an X thread, he explained how the bug could be exploited to manipulate balances and withdraw funds from liquidity pools.
Curve Finance acknowledged potential security flaws and “recognized the severity of the vulnerability,” Marco Croc explained. After a thorough investigation, Curve Finance awarded Marco Croc its maximum bug bounty award of $250,000.
According to Curve Finance, the threat was classified as “not as dangerous,” and they believed they could recover the stolen funds in such a case.
However, the protocol said a security incident of any scale “could have caused serious panic if it had happened.”
Related: Curve Finance debt will cause 'one more stress test' in February — Analyst
Curve Finance recently recovered from a $62 million hack in July. As part of returning to normalcy, the DeFi protocol voted to reimburse $49.2 million worth of assets to the liquidity providers (LPs).
On-chain data confirms that 94% of tokenholders approved the disbursement of tokens worth over $49.2 million to cover the losses of the Curve, JPEG’d (JPEG), Alchemix (ALCX) and Metronome (MET) pools.
According to Curve’s proposal, the community fund will supply the Curve DAO (CRV) tokens. The final amount also includes a deduction for the tokens recovered since the incident.
“The overall ETH ( ETH ) to recover was calculated as 5919.2226 ETH, the CRV to recover was calculated as 34,733,171.51 CRV and the total to distribute was calculated as 55’544’782.73 CRV,” reads the proposal.
The attacker exploited a vulnerability on stable pools using some versions of the Vyper programming language. The bug made Vyper’s 0.2.15, 0.2.16 and 0.3.0 versions vulnerable to reentrancy attacks.
Magazine: 68% of Runes are in the red — Are they really an upgrade for Bitcoin?
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
The Daily: ECB President Lagarde rejects bitcoin for Eurozone reserves while the Czech central bank considers it and more
European Central Bank President Christine Lagarde said bitcoin is not an option as a reserve asset for the Eurozone’s central bank reserves, citing liquidity, security and regulatory concerns.Meanwhile, the Czech National Bank approved a proposal from Governor Aleš Michl to assess diversifying some of its country’s reserves into bitcoin.
'Inevitable collapse': Trump’s crypto push sparks concern at Paul Singer's Elliott Management: FT
The hedge fund said in a new investor letter that the “inevitable collapse” of the crypto bubble “could wreak havoc,” according to the Financial Times.Elliott’s Paul Singer has never been a fan of crypto, telling WSJ in 2023 that cryptocurrencies are “completely lacking in any value.”
Kiyosaki Dumps Gold and Silver, Projects Bitcoin at $250K by 2025
Bulls Eye Reversal as Solana Tests Support After 25% Drop
Trending news
MoreCrypto prices
More
