Curve Finance Announces Refund Plan Following $62 Million Hack

Decentralized finance (DeFi) platform Curve Finance has announced its plan to refund users affected by the recent attack that resulted in a loss of $62 million. The incident, which occurred on July 30, 2023, involved a malicious hacker exploiting security vulnerabilities in Curve Finance's Vyper compiler, specifically targeting versions 0.2.15 to 0.3.0.

Exploiting a Security Vulnerability

The attacker's skillful manipulation of these vulnerabilities led to the targeting of pools including CRV/ETH, alETH/ETH, msETH/ETH, and pETH/ETH, as well as three pools on the Layer-2 scaling network Arbitrum. Experts in the field have emphasized that detecting these security vulnerabilities required a significant amount of skill and resources. One contributor to Viper even stated that the attack was likely planned weeks before execution.

Recovery and Refund

According to official posts from Curve Finance's account, ongoing investigations have made progress, and approximately 79% of the funds have been successfully recovered as of August 11, 2023. The platform also announced that it will evaluate each affected user for refunds to ensure the fair distribution of resources.

In a surprising turn of events, 10% of the stolen assets were offered as a reward to the responsible person behind the attack, and upon accepting this offer, the hacker started refunding the funds. According to on-chain data from Etherscan, the total value of the refunded funds reached 4,821 Ethereum, equivalent to approximately $8,891,578.

Impact on Curve Finance

The attack has had a profound impact on Curve Finance. Data from DefiLlama revealed that the total value of assets locked (TVL) on Curve Finance has dropped to its lowest level in two years, standing at $2.83 billion at the time of writing. This represents a 24% drop since the exploit on July 30.

Furthermore, trading volume on Curve totaled $100 million as of August 10, down from $143 million prior to the hack. Activity on one of Curve's leading pools, ETH/stETH LP, has dwindled since the hack, with trading volume reduced around 70% in the last two weeks.