The community behind the decentralized finance (DeFi) protocol Curve Finance has voted to reimburse the liquidity providers (LPs) hit by a $61-million hack in July.
On-chain data confirms that 94% of tokenholders approved on Dec. 21 the disbursement of tokens worth over $49.2 million to cover the losses of the Curve (CRV), JPEG’d (JPEG), Alchemix (ALCX) and Metronome (MET) pools.
Just wanted to emphasize the scale of this. Victims are made whole with this vote with:
— Curve Finance (@CurveFinance) December 22, 2023
- $7.2M worth of ETH recovered by whitehats to the DAO being distributed
- $42M worth of CRV compensating unrecovered parts (vested)
- Other whitehat-recovered funds distributed before vote https://t.co/qmcK9pmTe5
The calculation of losses includes the amount of Ether (ETH) and CRV tokens in the pools before the hack, along with missed CRV emissions that would have been distributed to LPs over the past months. According to Curve’s proposal, the community fund will supply the Curve DAO (CRV) tokens. The final amount also includes a deduction for the tokens recovered since the incident.
“The overall ETH to recover was calculated as 5919.2226 ETH, the CRV to recover was calculated as 34,733,171.51 CRV and the total to distribute was calculated as 55’544’782.73 CRV,” reads the proposal.
The security incident took place on July 30, exposing several DeFi protocols to a stress test in the following days due to concerns over the exploit’s impact on the crypto ecosystem. In July, Curve’s total value locked (TVL) was nearly $4 billion. Among the pools affected were alETH/ETH, pETH/ETH, msETH/ETH and CRV/ETH.
“While stolen funds in each pool were either completely or partially recovered, MEV bots have left all affected pools with a shortfall, and this remediation proposal seeks to make affected LPs whole,” Curve wrote in the proposal.
The attacker exploited a vulnerability on stable pools using some versions of the Vyper programming language, a popular choice for DeFi protocols due to its design for the Ethereum Virtual Machine. The bug made Vyper’s 0.2.15, 0.2.16 and 0.3.0 versions vulnerable to reentrancy attacks.
Magazine: This is your brain on crypto — Substance abuse grows among crypto traders