$1.8M Bounty Now Open to Public as Curve Finance Hacker Misses Deadline

After last week’s multi-million-dollar Curve Finance (CRV) exploit, the deadline set by the team for the attacker to voluntarily return the funds has officially passed.

This means the bounty for doxxing the hacker has now been extended to the public.

According to the Curve team, who attached an image of a note published on the Ethereum blockchain, the reward for anyone who helps identify the exploiter and leads to their conviction in court amounts to 10% of the stolen funds yet to be returned (valued currently at over $18.5 million).

The deadline, which was set for August 6 at 8 am UTC, had been issued via a similar on-chain message from Curve and two other DeFi teams—MetronomeDAO and Alchemix Finance—who also suffered losses.

On that occasion, the trio appeared to be in negotiations with the attacker for a voluntary reimbursement, though to no avail. They had also announced that they were preparing legal action against the culprit.

Yesterday’s deadline expiry sparked a flurry of comments on Crypto Twitter, with some skeptical it would help recoup some, if any, of the stolen funds.

“This is the state of the crypto justice system,” tweeted one user, adding, “this is the fault of blockchains not having governance and defense in depth built directly into the blockchain protocol level.”

Others speculated that the attack could be yet another from the North Korean hacker cell Lazarus group, which made headlines last week with another million-dollar exploit.

North Korean Hacker Cell Lazarus Allegedly Behind $60M Alphapo Hack

The infamous North Korean hacker group Lazarus has been attributed to yet another multi-million dollar hack–this time affecting Alphapo, a large payment processor associated with gambling sites and e-commerce platforms. According to crypto investigator ZachXBT, the exploit began on July 22, when several hot wallets associated with Alphapo were drained for over $23 million–via Ethereum (ETH), Bitcoin (BTC), and Tron (TRX). The initial hack, purportedly perpetrated by Lazarus registered $6 million...

Curve Finance and several protocols that forked their code suffered extensive exploits last week due to a vulnerability discovered in the programming language, Vyper.

The most affected, however, was Curve, one of the largest decentralized exchanges on Ethereum, with an estimated $73 million drained from its network–$52 million of which have been returned as of today.