...and is definitely not an enormous grift that's pouring lighter fluid on our already smoldering planet.
Created by Molly White. Subscribe to her newsletter for weekly recaps.
Then, on May 12, the project posted a warning that the website for the Curve frontend was "hijacked" in an apparent domain takeover.
This is not the first such compromise for Curve, which suffered a frontend compromise in August 2022 that resulted in $620,000 in losses (later recovered with the help of some exchanges).
Although ConvergenceFi described itself as audited, they admitted they had made changes to that portion of the code after the audits.
They assured their users that all user funds were safe, but recommended that users remove their staked funds from the platform.
Curve itself lost $61 million to the exploit. AlchemixFi was exploited for around $13 million in assets, and JPEG'd suffered a $11 million loss. MetronomeDAO suffered a $1.6 million loss, Ellipsis Finance lost $68,600, and Debridge Finance lost around $24,600.
Altogether, somewhere between $88 million and $100 million was taken, though some exploits appeared to be whitehat actions intended to preserve funds. The primary exploiter also later returned some of the stolen funds, refunding the entire amount to AlchemixFi and 90% of funds to JPEG'd in exchange for a 10% "bug bounty".
dForce contacted the hacker via blockchain transaction, offering to negotiate a bounty. Several days later, the project tweeted that the attacker had "c[o]me forward as a whitehat", and that the funds had been fully returned. "We have agreed to offer a bounty and will drop all on-going investigation and law enforcement actions," they announced.
Security firm PeckShield initially suggested the issue might have been with QiDAO, which creates the $MAI stablecoin. The vulnerability is not with their project, although it's possible that the theft will impact the collateralization of their stablecoin.
Curve acknowledged the apparent exploit, tweeting at the iwantmyname domain platform to say they believed the issue was on their end. Around an hour after the issue was widely noticed, Curve announced the "issue has been found and reverted", and to use the alternate Curve Finance domain until DNS changes propagated for the affected domain. They also urged users to revoke any recent contract approvals they'd made on the Curve platform.
FixedFloat tweeted that they had been able to freeze 112 of the stolen ETH (~$192,000) that had been transferred to their platform. Binance later announced that they'd recovered the remaining stolen funds, with founder CZ tweeting, "The hacker kept on sending the funds to Binance in different ways, thinking we can't catch it. đ"
No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.
