Curve Finance responds to a July hacking incident, reimbursing affected users with $42 million worth of CRV. The community-backed decision aims to restore trust and cover not only stolen funds but also unrealized gains.
Curve Finance faced a significant setback on July 30th when four of its pools fell victim to a re-entrancy bug linked to the Vyper programming language. Exploited by hackers, a staggering $73.5 million was siphoned off. In a swift response, Curve Finance extended an olive branch, proposing to treat the incident as a white hat scenario in exchange for the return of 90% of the pilfered funds.
While some hackers, notably those involved in the Metronome breach, accepted the offer and returned 90% of the funds, others chose to retain their ill-gotten gains. The community, having recovered approximately $52 million, deliberated on whether to reimburse affected users and, if so, the method to adopt. A democratic vote ensued, with 94% of participants agreeing to a proposal that not only pledged to refund any unaccounted tokens but also compensate for missed CRV emissions due to the hack.
The remediation proposal outlined the recovery efforts, stating, “Overall ETH to recover was calculated as 5919.2226 ETH, the CRV to recover was calculated as 34,733,171.51 CRV, and the total to distribute was calculated as 55’544’782.73 CRV.” Consequently, the community decided to reimburse affected users with a total of $42 million worth of CRV, effectively mitigating the calculated loss exceeding $94 million.
Just wanted to emphasize the scale of this. Victims are made whole with this vote with:
– $7.2M worth of ETH recovered by whitehats to the DAO being distributed
– $42M worth of CRV compensating unrecovered parts (vested)
– Other whitehat-recovered funds distributed before vote https://t.co/qmcK9pmTe5— Curve Finance (@CurveFinance) December 22, 2023
A noteworthy aspect of the reimbursement initiative was the commitment to cover unrealized gains, demonstrating a proactive approach to restoring confidence among investors in CurveDAO-related pools.
Despite this positive move, the incident highlights the ongoing need for developers to enhance security measures. Notably, a separate attack on Curve Pools, utilizing a different method, occurred just the previous month.
Considering the substantial resources of the DAO, a strategic investment in bolstering security appears imperative to prevent future costly exploits.