Nonfungible token (NFT) and decentralized finance (DeFi) protocol JPEG’d has confirmed that 5,495 Ether (ETH), worth roughly $10 million at current prices, has been returned by the Curve Finance hacker.
In exchange for returning the funds that were stolen on July 30, the hacker received a 610.6 ETH ($1.1 million) bounty.
JPEG’d exploit update:
— ZachXBT (@zachxbt) August 4, 2023
Seems 5495 ETH was returned just now for a 10% whitehat bounty.
0x003b00378ac52c10200d8fcac0e42138a34e46b9d7c3350ad3372ae0eb141df3
Michael Razum is not the exploiter but was linked on-chain bc a few of his contracts were drained by this person. pic.twitter.com/mc3GGx2gyd
JPEG’d is a DeFi lending protocol that enables users to borrow funds against their collateralized NFTs. The protocol lost $11.6 million of crypto in the Curve hack.
In an Aug. 4, X (formerly Twitter) thread, the team stated that the funds had been returned to the JPEG’d decentralized autonomous organization multisig wallet address.
“Any further investigations or legal matters against the entity will end. We view this occurrence as a white-hat rescue,” the JPEG’d team stated.
The JPEG'd DAO confirms receipt of 5,494.4 WETH back to the JPEG'd Multisig for a total of 5,495.4 WETH. A 10% white-hat bounty of 610.6 WETH was awarded to the owner of the address that recovered funds from the pETH exploit.https://t.co/nIBwHHxfQU
— JPEG'd (@JPEGd_69) August 4, 2023
The DeFi ecosystem received a significant hit in late July after several liquidity pools on Curve Finance were drained.
The hacker managed to exploit a security vulnerability in the Vyper smart contract programming language used in the pools, with total losses estimated to be around $70 million worth of crypto.
The exploit impacted projects such as decentralized exchange Ellipsis, lending platform Alchemix, JPEG’d, and synthetic protocol Metronome, which all saw millions of dollars worth of assets stolen from liquidity pools. Curve Finance also lost around $22 million of Curve DAO (CRV) tokens.
Related: CRV exposure risk throws a curveball at the DeFi ecosystem: Finance Redefined
On Aug. 3, Curve, Metronome and Alchemix jointly announced an initiative to retrieve the stolen funds, offering the hacker a 10% bounty and no legal action if they returned the other 90% of the funds.
In less than 24 hours, the hacker apparently agreed to the deal and has gradually started returning the stolen funds to the various projects.
Apart from JPEG’d, the hackers have returned 4,820.55 Alchemix ETH (alETH) ($8.8 million) to the Alchemix Finance team and 1 ETH ($1,829) to the Curve Finance team.
Magazine: Deposit risk: What do crypto exchanges really do with your money?