Decentralized finance (DeFi) protocol Alchemix announced that all funds stolen from the alETH-ETH pool on Curve Finance were returned by the hacker.
By exploiting a vulnerability in the Vyper programming language, the hacker stole over $61 million from various stablecoin pools on Curve Finance on July 30.
The hacker accepted the bug bounty offer from Curve, Metronome, and Alchemix, which announced a joint effort to recover the stolen funds on August 3. The offer included a reward of 10% of the stolen funds, which amounted to about $7 million and urged the hacker to return the remaining 90%.
The hacker began returning funds to the Alchemix Finance team on August 4, starting with 4,820.55 Alchemix ETH (alETH) tokens worth approximately $13.6 million.
We are extremely happy to announce that all funds stolen by the hacker of the Alchemix @CurveFinance pool have now been returned.
Full post mortem coming.
— Alchemix (@AlchemixFi) August 5, 2023
However, the hacker said in his message that he returned the funds not because he feared that he might be found, but because he did not want the projects in question to be destroyed.
The Curve Finance attack was one of the largest DeFi attacks in history, affecting several projects using vulnerable versions of the Vyper programming language. The hacker targeted stablecoin pools containing Ethereum-pegged tokens such as alETH, pETH, and sETH, and used reentrancy attacks to repeatedly withdraw funds from these pools.
*Not investment advice.