According to CryptoPotato, on July 30th, four Curve Finance pools were exploited due to a re-entrancy bug in the Vyper programming language. The hackers targeted four mining pools and stole a total of $73.5 million. In response, Curve offered to treat the incident as a white hat incident if 90% of the stolen funds were returned. Some genuine white hats also pursued the hackers, recovering a small portion of the funds and returning them to the exchange.
Some of the attackers, particularly those involved in the Metronome breach, accepted Curve's offer and returned 90% of the funds. However, not all of the hackers were willing to relinquish their newfound wealth. After recovering about $52 million, the Curve community began discussing whether users should be reimbursed and, if so, how it should be done. The matter was ultimately decided by a vote.
The proposal, which was approved by 94% of voters, pledged to not only refund any unaccounted tokens but also compensate for missed CRV emissions that would have been distributed to Curve pools if the hack had not occurred. The community will reimburse affected users for a total of $42 million worth of CRV, offsetting the calculated loss of over $94 million. The gesture of reimbursing unrealized gains will likely boost the confidence of those investing in CurveDAO-related pools. However, the developers still need to work on ensuring that such a costly situation does not happen again. It is worth noting that another attack on Curve Pools, using a different method, was successfully carried out just last month. Given the vast resources of the DAO in question, a significant investment in better security seems necessary.
