1️⃣ The vulnerability could cause an inconsistency between the actual balance and the balance state variable by calling the withdraw_admin_fees inside the fallback of remove_liquidity_imbalance. (reentrancy)
2️⃣ I submitted a report with a written PoC and they swiftly acknowledged my findings. I engaged in a fruitful exchange of emails, discussing the potential impact and possible mitigations directly with
@newmichwill
.
3️⃣ After thorough evaluation, the
@CurveFinance
team recognized the severity of the vulnerability and awarded me the maximum bug bounty of $250,000! Their professionalism and generosity were truly commendable.
4️⃣ I want to express my sincere gratitude to the amazing team at
@CurveFinance
, especially
@newmichwill
, for their prompt response and collaborative approach throughout the process. It was a pleasure to work with them.
5️⃣ To shed light on this fascinating journey, I've written an in-depth article that dives into the nitty-gritty details of the vulnerability. Don't miss it!