Curve Finance acknowledges developer’s discovery of reentrancy vulnerability, rewards them with $250K.

A cryptocurrency security expert has been rewarded with a generous sum of $250,000 after uncovering a vulnerability that has allowed hackers to steal millions of dollars from various cryptocurrency protocols in the past. The researcher, known as Marco Croc from Kupia Security, discovered a reentrancy vulnerability in the decentralized finance (DeFi) protocol Curve Finance. In a detailed post, Croc explained how this bug could be exploited to manipulate balances and withdraw funds from liquidity pools. Recognizing the severity of this vulnerability, Curve Finance conducted a thorough investigation and then awarded Croc the maximum bug bounty of $250,000. The protocol acknowledged that the threat was not as dangerous as other potential risks, but still emphasized the potential for panic if such an incident were to occur. This incident follows Curve Finance’s recovery from a $62 million hack in July, during which they voted to reimburse $49.2 million worth of assets to liquidity providers. The recent disbursement of tokens worth over $49.2 million was approved by 94% of tokenholders and will help cover the losses incurred by the Curve, JPEG’d, Alchemix, and Metronome pools. The community fund will provide the necessary Curve DAO tokens, with adjustments made for tokens that have been recovered since the incident. The attacker exploited a vulnerability in stable pools using specific versions of the Vyper programming language, particularly versions 0.2.15, 0.2.16, and 0.3.0. This incident highlights the ongoing challenges and vulnerabilities faced by the cryptocurrency industry.