A pseudonymous cybersecurity expert Marco Croc, received a $250K reward for discovering a significant flaw in the Curve Finance decentralized finance (DeFi) protocol. This vulnerability, called reentrancy, had allowed hackers to steal millions from cryptocurrency protocols in the past.
In a detailed explanation on an online forum, Marco Croc outlined how this bug could be used to manipulate balances and withdraw funds from liquidity pools within Curve Finance.
Curve Finance acknowledged the seriousness of the issue and awarded Marco Croc $250,000 as a bug bounty, the highest amount they offer.
While Curve Finance believed they could recover any stolen funds, they recognized the potential for panic if such an incident occurred. According to Curve Finance, the threat was “not as dangerous.”
This discovery came after Curve Finance had recently experienced a $62 million hack in July. To return to normal operations, the DeFi protocol decided to reimburse $49.2 million worth of assets to liquidity providers (LPs).
Data from the blockchain confirmed that 94% of token holders approved the disbursement of tokens to cover the losses in various pools affected by the hack.
The recovery plan involved utilizing the Curve DAO (CRV) tokens from the community fund, with adjustments made for any tokens already recovered.
The vulnerability exploited by the attacker affected stable pools using specific versions of the Vyper programming language. Versions 0.2.15, 0.2.16, and 0.3.0 of Vyper were found to be vulnerable to reentrancy attacks.
Also Read: Bitget Introduces “Mine Promotion“ to Reward Crypto Traders
