Security Researcher Earns $250k Bounty for Identifying Vulnerability in Curve Finance's DeFi Platform
Summary:
Cybersecurity expert Marco Croc identified a reentrancy vulnerability in the decentralized finance platform, Curve Finance, which had historically permitted hackers to steal millions. Curve Finance rewarded him with their highest bug bounty of $250,000 after verifying this flaw. The DeFi protocol is currently recuperating from a past $62 million hack, reimbursing $49.2 million to liquidity providers. An attacker previously exploited a weak point in some versions of the Vyper programming language, making these versions susceptible to reentrancy attacks.
A cybersecurity expert was awarded $250,000 after identifying a critical fault that traditionally enabled hackers to steal millions from cryptocurrency platforms. Marco Croc, a pseudonymous security investigator from Kupia Security, detected a reentrancy loophole in the decentralized finance (DeFi) platform, Curve Finance. He outlined the way this glitch could be utilized to tamper with balances and withdraw funds from liquidity pools in an online thread.
Curve Finance confirmed the potential security breaches and appreciated the intensity of the found discrepancy, according to Marco Croc. A comprehensive examination resulted in Curve Finance granting Marco Croc their most substantial bug bounty reward of $250,000.
Despite classifying the threat as ‘less dangerous,’ Curve Finance asserted their belief in their capacity to retrieve any stolen funds in such circumstances. Nevertheless, any size of security breach could have potentially caused widespread panic if it had occurred, as per the protocol.
Curve Finance is recovering after a $62 million hack that took place in July. In their journey towards recovery, the DeFi protocol decided to pay back $49.2 million in assets to liquidity providers. Blockchain data validates that 94% of token holders have approved the distribution of over $49.2 million worth of tokens to compensate for the losses suffered by Curve, JPEG’d, Alchemix, and Metronome pools.
As per Curve’s plan, the tokens will be provided by the community fund of the Curve DAO. Calculations for the final amount have factored in the deduction for tokens retrieved post the incident. The proposal states, “The total ETH to be recouped was estimated as 5919.2226 ETH, the CRV to be regained was estimated as 34,733,171.51 CRV, and the sum to be distributed was estimated as 55’544’782.73 CRV.”
An attacker exploited a weak point in stable pools that used certain versions of the Vyper programming language. This glitch made versions 0.2.15, 0.2.16, and 0.3.0 of Vyper susceptible to reentrancy attacks.
Published At
5/1/2024 1:33:33 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.