Curve Finance Gives IDR 4 Billion In Rewards For Company System Vulnerabilities

Curve Finance gives rewards for finding vulnerabilities in their system. (Photo; Doc. CoinTribune)

JAKARTA - Recently, Curve Finance, a leading decentralized financial platform (DeFi), awarded 250 thousand (around IDR 4,063,750,000) to Marco Croc of Kupia Security, a security researcher who discovered a critical vulnerability in their system.

The reentancy vulnerability discovered by Marco Croc has the potential to allow hackers to manipulate balances and withdraw funds from Curve Finance liquidity pools. Given the risks posed, Curve Finance quickly conducted a thorough investigation and awarded the researcher a maximal bug bounce as a form of appreciation for its significant contribution.

Although this vulnerability is classified as not too dangerous, Curve Finance admits that security incidents, no matter how small, can cause panic among users. Therefore, this award also aims to encourage hacking ethics that are responsible and strengthen protocol defenses against exploitation in the future.

Post-Attack Recovery Efforts

This award is part of Curve Finance's recovery effort after a $62 million attack in July. In order to restore trust and assets of liquidity providers, this protocol recently held a vote to replace $49.2 million (approximately IDR 799,644,000,0001) of lost assets. The decision is supported by 94% of Curve DAO (CRV) token holders, which includes losses in several ponds, including JPEGd (JPEG), Alchemix (ALCX), and Metronome (MET).

This replacement plan involves the use of CRV tokens from community funds, as well as considering the tokens that have been recovered successfully since the incident. As a result, the final distribution of 55,544,782.73 CRV will be carried out, with the number of Ethereum (ETH) and CRV to be recovered computing as 5,919.2226 ETH and 34,733,171.51 CRV.

Reported by Cryptonews, the vulnerability exploited by these hackers targets the liquidity pool to be stable and related to a particular version of the Vyper programming language. Versions 0.2.15, 0.2.16, and 0.3.0 of the Vyper are found to be vulnerable to reentrance attacks, which allow for an unlicensed withdrawal of funds.