Curve Finance Reimburses Total Amount Stolen in July

On the 30th of July, four Curve Finance pools were exploited due to a re-entrancy bug made possible by the Vyper programming language.

The hackers attacked four mining pools and made off with a total of $73.5 million. Almost immediately, the community sprang into action – Curve itself extended the standard olive branch, offering to treat the incident as a white hat incident in return for 90% of the stolen funds being sent back.

Meanwhile, genuine white hats also went after the hackers, managing to recover a small portion of the funds and return them to the exchange.

Total Recovery Was Impossible

Some of the attackers – particularly those involved in the breach of Metronome – took Curve up on the offer, returning 90% of the funds. Unfortunately, not all of the hackers were inclined to give up their newfound wealth.

After about $52 million were recovered, the Curve community set about the task of deciding if users should be reimbursed and, if so, how it should be done.

Ultimately, the matter was decided by a vote.

Going Above and Beyond

The proposal, which was agreed upon by 94% of voters, promised to not only refund any tokens left unaccounted for but also to make up for missed CRV emissions that would have been distributed to Curve pools had the hack not taken place.

“While stolen funds in each pool were either completely or partially recovered, MEV bots have left all affected pools with a shortfall, and this remediation proposal seeks to make affected LPs whole. […] The overall ETH to recover was calculated as 5919.2226 ETH, the CRV to recover was calculated as 34,733,171.51 CRV and the total to distribute was calculated as 55’544’782.73 CRV.”

Ultimately, the community will reimburse affected users for a total of $42 million worth of CRV, negating the calculated loss of over $94 million.

Just wanted to emphasize the scale of this. Victims are made whole with this vote with:
– $7.2M worth of ETH recovered by whitehats to the DAO being distributed
– $42M worth of CRV compensating unrecovered parts (vested)
– Other whitehat-recovered funds distributed before vote https://t.co/qmcK9pmTe5

— Curve Finance (@CurveFinance) December 22, 2023

Offering to reimburse unrealized gains was a nice touch – one that will surely bolster the confidence of those investing in CurveDAO-related pools.

However, it seems that the developers still have work to do to ensure that this costly situation does not repeat itself. It’s worth mentioning that another attack on Curve Pools – albeit using a different method – was successfully executed just last month.

Given the vast resources of the DAO in question, a significant investment into better security seems in order.