Curvey’s community approved on December 21st, the reimbursement of liquidity providers impacted by a $61 million hack in July. The decentralised finance (DeFi) community that supports Curve Finance has decided to pay back the liquidity providers (LPs) that were hacked for $61 million in July.
94% of token holders approved the distribution of tokens valued at over $49.2 million on December 21 to compensate for the losses of Curve, JPEGd, Alchemix, and Metronome pools, according to on-chain data.
The amount of Ether and CRV tokens in the pools prior to the hack, as well as the missed CRV emissions that would have been given to LPs over the previous few months, are all factored into the loss calculation. As per Curve’s proposal, the Curve DAO (CRV) tokens will be sourced from the community fund. The tokens that have been recovered since the incident are also deducted from the final total.
“The overall ETH to recover was calculated as 5919.2226 ETH, the CRV to recover was calculated as 34,733,171.51 CRV and the total to distribute was calculated as 55’544’782.73 CRV,” the proposal states.
Concerns about the exploit’s potential effects on the cryptocurrency ecosystem led to the security incident on July 30, which exposed several DeFi protocols to a stress test in the days that followed. Curve had almost $4 billion in total value locked (TVL) as of July. AlETH/ETH, pETH/ETH, msETH/ETH, and CRV/ETH were some of the affected pools.
Curve stated in the proposal that “although the stolen funds in each pool were either fully or partially recovered, MEV bots have left all affected pools with a shortfall, and this remediation proposal seeks to make affected LPs whole.”
The attacker used certain versions of the Vyper programming language, which is a popular choice for DeFi protocols because of its design for the Ethereum Virtual Machine (EVM), to take advantage of a vulnerability on stable pools. The bug exposed Vyper versions 0.2.15, 0.2.16, and 0.3.0 to reentrancy attacks.