The hacker drained a number of pools on Curve Finance, stealing roughly $70 million, but has gradually started returning funds to various projects.
Nonfungible token finance (NFT-Fi) protocol JPEG’d has confirmed that 5,495 Ether (ETH), worth roughly $10 million at current prices, has been returned by the Curve Finance hacker.
In exchange for returning the funds that were stolen on July 30, the hacker received a 610.6 ETH ($1.1 million) bounty.
JPEG’d exploit update:
— ZachXBT (@zachxbt) August 4, 2023
Seems 5495 ETH was returned just now for a 10% whitehat bounty.
0x003b00378ac52c10200d8fcac0e42138a34e46b9d7c3350ad3372ae0eb141df3
Michael Razum is not the exploiter but was linked on-chain bc a few of his contracts were drained by this person. pic.twitter.com/mc3GGx2gyd
JPEG'd is a decentralized lending protocol that enables users to borrow funds against their collateralized NFTs. As part of the major hack on Curve Finance, the protocol lost $11.6 million worth of crypto.
In an Aug. 4, X (Twitter) thread, the team stated that the funds have been returned to the JPEG’d decentralized autonomous organization multisig wallet address.
“Any further investigations or legal matters against the entity will end. We view this occurrence as a white-hat rescue,” the JPEG’d team stated.
The JPEG'd DAO confirms receipt of 5,494.4 WETH back to the JPEG'd Multisig for a total of 5,495.4 WETH. A 10% white-hat bounty of 610.6 WETH was awarded to the owner of the address that recovered funds from the pETH exploit.https://t.co/nIBwHHxfQU
— JPEG'd (@JPEGd_69) August 4, 2023
The decentralized finance (DeFi) ecosystem copped a significant hit in late July, after several liquidity pools on Curve Finance were drained.
The hacker managed to exploit a security vulnerability in the Vyper smart contract programming language that these particular pools were coded with, and the total losses were estimated to be around $70 million worth of crypto.
The exploit impacted projects such as decentralized exchange Ellipsis, lending platform Alchemix, JPEG’d and synthetic protocol Metronome, which all saw millions of dollars worth of assets stolen from liquidity pools, while Curve Finance also lost around $22 million worth of Curve DAO (CRV) tokens.
Related: CRV exposure risk throws a curveball at the DeFi ecosystem: Finance Redefined
On Aug. 3, Curve, Metronome and Alchemix jointly announced an initiative to retrieve the stolen funds, offering the hacker a 10% bounty and no legal action if they returned the other 90% of the funds.
In less than 24 hours, the hacker seemingly agreed to the deal, and has gradually started returning the stolen funds to the various projects.
Apart from JPEG’d, they have so far returned 4,820.55 Alchemix ETH (alETH), worth roughly $8.8 million to the Alchemix Finance team, and 1 ETH ($1,829) to the Curve Finance team.
Magazine: Deposit risk: What do crypto exchanges really do with your money?