Skip to main content

Coinbase, the preeminent cryptocurrency exchange in the US, secured a windfall of $1 million in the wake of the recent cyber attack on the decentralized finance (DeFi) platform, Curve Finance.

Yet, despite the considerable gain, the platform has not redistributed the acquired funds, which many believe rightfully belong to those adversely affected by the hack, justifying its stance by asserting no legal obligation to do so.

The breach transpired in July, where Curve Finance, a significant entity in the DeFi sector, was compromised, culminating in the heist of assets valued at $73 million.

Amidst the assault, Curve’s pricing mechanism went haywire, engendering a rare arbitrage chance.

Seizing this anomaly, a trading bot facilitated a swift transaction on the Ethereum blockchain by compensating a validator with 570 ETH, equivalent to approximately $1.06 million at that moment. Remarkably, this payment ranks as the second-highest in the annals of “maximal extractable value” (MEV) transactions.

This hefty compensation found its way to Coinbase, the validator that facilitated the transaction, as verified by data from Nansen and assertions from Alchemix, a platform that incurred a $22 million loss in the Curve debacle.

Despite the majority of the pilfered $73 million being retrieved, Alchemix contends that Coinbase has rebuffed pleas to relinquish the funds it garnered through the event, essentially harboring assets that were derived from the theft.

The exchange stands firm on its position, with representatives reportedly informing Alchemix of their non-obligation to indemnify any party, showcasing a stark conflict between the decentralized ethos of blockchain-based finance, epitomized by the phrase “code is law,” and the scant avenues of redress for victims of digital asset pilferage.

Delving into Coinbase’s $1 Million Acquisition

During the initial onslaught on Curve, perpetrators exploited a glitch in the coding of specific liquidity pools, siphoning assets worth $73 million.

This glitch impacted pools housing Ethereum (ETH) and alETH, a derivative of ether issued by Alchemix, causing a severe disparity between the values of the two tokens and enabling traders to acquire alETH at a significantly diminished rate.

A savvy trading bot capitalized on this discrepancy, sweeping up the residual alETH in the pool, which was swiftly traded for another derivative termed frxETH, subsequently converted to ETH.

While the bot’s venture yielded a mere 43 ETH in profits, the lion’s share of the earnings went to Coinbase, the adjudicator tasked with enlisting the transaction on the Ethereum ledger. This substantial fee of 570 ETH functioned as a catalyst for Coinbase to give precedence to the bot’s transaction amidst others vying for the same arbitrage opportunity.

In a turn of events, the malefactor behind the Curve assault acceded to public outcry and an impending deadline, reinstating all $22 million in usurped ETH and alETH to Alchemix.

Furthermore, altruistic white-hat individuals intervened, restoring assets worth $13 million before potential theft. Adding to this, the operator of the trading bot acquiesced to Alchemix’s appeal, forfeiting the 43 ETH profit realized from exploiting the alETH discrepancy.