$1.8M Bounty Now Open to Public as Curve Finance Hacker Misses Deadline

After last week’s multi-million-dollar Curve Finance (CRV) exploit, the deadline set by the team for the attacker to voluntarily return the funds has officially passed.

This means the bounty for doxxing the hacker has now been extended to the public.

According to the Curve team, who attached an image of a note published on the Ethereum blockchain, the reward for anyone who helps identify the exploiter and leads to their conviction in court amounts to 10% of the stolen funds yet to be returned (valued currently at over $18.5 million).

The deadline, which was set for August 6 at 8 am UTC, had been issued via a similar on-chain message from Curve and two other DeFi teams—MetronomeDAO and Alchemix Finance—who also suffered losses.

On that occasion, the trio appeared to be in negotiations with the attacker for a voluntary reimbursement, though to no avail. They had also announced that they were preparing legal action against the culprit.

Yesterday’s deadline expiry sparked a flurry of comments on Crypto Twitter, with some skeptical it would help recoup some, if any, of the stolen funds.

“This is the state of the crypto justice system,” tweeted one user, adding, “this is the fault of blockchains not having governance and defense in depth built directly into the blockchain protocol level.”

Others speculated that the attack could be yet another from the North Korean hacker cell Lazarus group, which made headlines last week with another million-dollar exploit.

Curve Finance and several protocols that forked their code suffered extensive exploits last week due to a vulnerability discovered in the programming language, Vyper.

The most affected, however, was Curve, one of the largest decentralized exchanges on Ethereum, with an estimated $73 million drained from its network–$52 million of which have been returned as of today.