crv.mktcap.eth

Share this post

crv.mktcap.eth
crv.mktcap.eth
August 7, 2023: Manhunt 🏃🕵️‍♀️
Copy link
Facebook
Email
Notes
More

August 7, 2023: Manhunt 🏃🕵️‍♀️

After ultimatum deadline passes, Curve opens $1.8MM bounty for info on final hacker

crv.mktcap.eth
Aug 07, 2023
∙ Paid
2

Share this post

crv.mktcap.eth
crv.mktcap.eth
August 7, 2023: Manhunt 🏃🕵️‍♀️
Copy link
Facebook
Email
Notes
More
Share

Big news out of PayPal as we hit publication, which we’ll cover in more depth tomorrow…

Vyper

Last week we saw the official Vyper post-mortem drop.

This marks the latest official post-mortem to drop since the hack, and certainly worth the wait. The sweeping report covers compiler level context on the state of reentrancy and a meticulous step-by-step accounting of all the changes related to this incident.

Broadly, from a five year span covering 2018 to 2023, the Vyper team worked on refactoring the compiler at the same time they were also buys shipping featureful new versions to accommodate protocol demand. One can retroactively imagine a world where Vyper was better staffed and the glitch was properly telegraphed, but alas.

The post-mortem also recommends a variety of next steps, some of which are already underway.

We also saw a separate article by jtriley doing a deep dive into the Vyper compiler.

It there’s an upside to the travails of recent weeks, it’s the the heavy public interest in Vyper and the onslaught of educational materials to satiate this demand. Banteg has also joined the chorus:

The fact that so many different contracts were launched continuously throughout the span of Vyper versions has ended up providing some resilience. This fortunately limited the attack surface and kept the hack more limited in scope.

The incident was still tragic, but in our humble opinion, reinforces the need for compiler diversity.

Lockening

It’s too easy to troll the FUD-sters, who often try to take potshots at it, despite having only a crude, prehensile understanding of its architecture…

Image

This address is, of course, the veCRV locker, which controls the plurality of $CRV.

Yes… FUD-sters complaining isn’t exactly news, but it happened so often this past week. As shorters realized they would yet again fail to catch and liquidate Mich, some tried to mock his dealmaking prowess by kvetching that his apparent handshake agreements that recipients not sell off $CRV for six months was hardly enforceable.

The terms of his deals were in fact opaque, so nobody save the counterparties particularly know the precise terms. Yet the onchain data doesn’t lie: the past week has seen the highest rate of locking in 2023.

We haven’t seen if anybody has attempted to break down these locks, to try to determine what percentage came from OTC deals fulfilling their purported bargain, and what percentage came from copycats locking $CRV because it’s what the smart money seemed to be doing.

One aspect of the lockening we’re watching closely is to see the extent to which an uptick in veCRV locking flows to the benefit of $CVX. We know the two tokens historically tended to peg somewhat to each other in previous eras. What will happen this cycle?

Manhunt

Of the four hacks afflicting Curve, three of them have seen positive resolutions. JPEG’d, Alchemix, and part of the Curve hack have seen funds recovered.

However, the ultimatum given to the Curve hacker has passed without comment. The bounty has been opened to the public.

By our read, the smartest thing the hacker could do would be to return the money…

But they haven’t. Below, one midwit speculates wildly about the hacker’s origins and next moves…

This post is for paid subscribers

Already a paid subscriber? Sign in
© 2025 crv.mktcap.eth
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More