Alchemix Reports Return Of Stolen Funds From Curve Exploit

Table of Contents

• Alchemix Announces Return Of All Funds 
• An Offer The Hacker Couldn’t Refuse 
• Hacker Accepts Offer And Returns Funds 
• DeFi Breathes A Sigh Of Relief 

Alchemix, a lending platform, has reported that all the funds stolen by the Curve Finance hacker from Alchemix’s alETH-ETH pool have been returned. 

Curve Finance had fallen victim to a major heist on the 31st of July, leading to the hacker draining around $61 million from the protocol. 

Alchemix Announces Return Of All Funds 

The Curve Finance exploit had resulted in Alchemix losing around $13.6 million from its alETH-ETH pool. Apart from Alchemix, several other pools also saw their funds drained. These included JPEGd’s pETH-ETH pool, which saw outflows of around $11.4 million, and Metronome’s sETH-ETH pool, which saw the exploit drain about $1.6 million. The hacker had targeted several stable pools on Curve Finance using a reentrancy bug that impacted the Vyper programming language used on Curve Finance. 

Now, Alchemix has announced on X that the hacker has returned the stolen funds after accepting a bug bounty offer from Curve, Metronome, and Alchemix. 

“We are extremely happy to announce that all funds stolen by the hacker of the Alchemix @CurveFinance pool have now been returned.”

An Offer The Hacker Couldn’t Refuse 

Alchemix, Metronome, and Curve Finance had offered the hacker a 10% bug bounty as a reward, asking them to return the remaining 90% of the stolen funds. The three entities had stated that if the hacker returned the funds, they would not face any further legal or law enforcement actions. 

“The offer comes with a guarantee of no further legal actions or involvement of law enforcement. We want to resolve this in a civilized manner. You will have no risk of us pursuing this further, no risk of law enforcement issues.”

However, the three protocols also told the hacker to view their offer as a final warning, giving them until the 6th of August to accept their offer. They warned that if the hacker refused or ignored their warning, they would be expanding the bounty to the public, offering 10% of the funds to anyone who would help identify the hacker in a way that would lead to conviction in court. The stark warning stated that the hacker would feel the full force of the law should he fail to comply. 

“If you choose not to partake in the voluntary return and complete the process by the 6th of August at 0800 UTC, we will expand the bounty to the public and offer the full 10% to the person who is able to identify you in a way that leads to your conviction in the courts. We will pursue you from all angles with the full extent of the law.”

Hacker Accepts Offer And Returns Funds 

On the 4th of August, the hacker posted a message on the Ethereum network directed at Curve Finance and Alchemix development teams. In the not-so-pleasant message, the hacker stated that they would return the funds, but because they did not want to ruin the multiple projects impacted, and not because they were caught or because of the threat of legal action. The hacker stated in his on-chain message, 

“I’m refunding, not because you can find me. It’s because I don’t want to ruin your project.”

At around 11:16 am UTC, the hacker returned 1 alETH to the Curve Finance deployer account. Following the success of the initial transaction, the hacker made three separate transfers two hours later, totaling around 4820.55 alETH, sent to the Alchemix development team’s multisig wallet. The funds returned were around $8.9 million worth of crypto assets, making up around 15% of the stolen funds. Alchemix later reported that the hacker returned all of the stolen funds. 

NFT protocol JPEG’d, in a separate announcement, also confirmed that they had been refunded, with the perpetrators returning around 5495 ETH. As stated in the bounty offer, the NFT protocol will not be taking any legal action against the hackers. The JPEG’d team stated, 

​​“Any further investigations or legal matters against the entity will end. We view this occurrence as a white-hat rescue.”

DeFi Breathes A Sigh Of Relief 

The Curve Finance exploit had put considerable pressure on the larger DeFi ecosystem after the value of the protocol’s CRV token plummeted after the hack. Several reports that emerged after the hack stated that Curve founder Michael Egorov had taken several loans, putting up CRV as collateral, putting Egorov’s $168 million lending position at risk of liquidation. This put major DeFi protocols Aave, Abracadabra, and several others at risk as well, thanks to a potential domino effect.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.