Decentralized lending protocol Sturdy Finance offered a $100,000 bounty to the attacker who siphoned 442 ether ($800,000) from the platform on Monday.
Sam Forman, the project’s founder, confirmed in a tweet published earlier today that his team had sent an on-chain message to the unknown attacker’s address. This message offers the perpetrator a bounty of $100,000 to return the stolen funds to a specified address owned by Sturdy, adding that the team will “advocate for no criminal charges” if the funds are returned.
“We are willing to offer you $100k as a bounty, and will not pursue you further if you send the remaining funds to 0x4e…89F5,” read Forman’s tweet, suggesting a potential reprieve for the attacker if they choose to comply.
This offer follows a security incident in which an attacker exploited a reentrancy vulnerability in one of Sturdy Finance’s liquidity pools. The vulnerability allowed the hacker to manipulate a price oracle and eventually siphon off funds.
In response to the attack, Sturdy Finance promptly suspended all of its markets to prevent further potential losses. The team reassured users that no other funds were at risk and that the platform’s security would be thoroughly investigated.