Coinbase Earned $1M Amid Hack, but Hasn't Reimbursed Victims

An exploiter’s July attack on decentralized finance giant Curve Finance roiled the entire DeFi market. Much of the stolen money has been returned, but not everyone has been made whole.

One titan of crypto, though – Coinbase, the largest U.S. exchange – is sitting on a roughly $1 million profit tied to the incident, according to market participants and observers. It hasn’t surrendered this inadvertent windfall to victims. And, to be clear, it’s currently not obligated to.

The bizarre situation stems from a quirky feature of the DeFi economy’s infrastructure.

When $73 million worth of assets were stolen from Curve, the platform’s asset-pricing system was briefly thrown out of whack. A trading bot noticed this once-in-a-lifetime arbitrage opportunity and pounced, paying 570 ETH (worth $1.06 million at the time) to make sure an Ethereum blockchain validator processed its trade as quickly as possible. It was the second-biggest payment ever tied to the practice known as MEV.

Validators run the Ethereum network, and there are many of them. In this case, Coinbase was the validator that received the payment, according to Alchemix, which lost money during the Curve exploit, and data from Nansen that shows Coinbase was the recipient of the money.

While the bulk of the $73 million in assets lost in the Curve hack has been recouped, the Alchemix protocol – which saw $22 million of its Curve-based tokens looted by the hacker – said that Coinbase has turned down requests to send back the money it earned as a result of the heist.

“Coinbase has shown no willingness to return the funds, despite knowingly benefitting directly from the exploit,” Alchemix told CoinDesk in a statement.

Alchemix, which argues Coinbase is keeping stolen money, says Coinbase representatives have told it there’s no legal requirement for it to reimburse anyone.

A Coinbase spokesperson said the company has “nothing additional to share at this time” and declined a request to comment.

The controversy underscores the tension between the free-wheeling, “code is law” ideals of blockchain-based finance and the frustrating lack of recourse for victims of crypto theft.

Some $735 million worth of digital assets have been stolen in hacks this year, according to DefiLlama; The ubiquity of crypto exploits – and the difficulty of recovering funds after they occur – is frequently cited as a key deterrent for would-be users of the technology.

The Coinbase-Curve saga provides a unique window into the messy process of asset-recovery that follows most crypto hacks. The convoluted world of crypto trading algorithms and spur-of-the-moment arbitrage opportunities can make it hard to trace where funds end up after they’re stolen from a crypto protocol. Frequently, the biggest beneficiaries of a crypto heist end up in that position by accident – earning surprise fees in exchange for running certain kinds of blockchain infrastructure.

This is the situation that Coinbase finds itself in. Whether or not the company should reimburse Curve victims with funds it earned as a result of the heist – or whether those funds are even “dirty money” in the first place – is largely a matter of interpretation.

The July 30 attack on Curve exploited a bug in the code for certain liquidity pools – baskets of cryptocurrency loaned out by users of the platform to help facilitate “decentralized” token swaps. A total of $73 million of assets were lost, and the event roiled the broader cryptocurrency markets due to Curve’s position as a cornerstone of Ethereum’s DeFi ecosystem.

One of the pools drained in the attack contained ether (ETH) and alETH, an ether derivative issued by Alchemix, a DeFi lending platform. Before the attack, the pool held 7,259 ETH and 4,822 alETH, Alchemix said. Then, the exploiter drained the majority of the tokens, leaving only 1 ETH and 3,856 alETH.

Traders use liquidity pools to swap between tokens, and the exchange rate between any two tokens in a pool is set by the ratio of assets in that pool.

Following the Curve exploit, the massive imbalance between ETH and alETH tokens in the ETH/alETH pool created an arbitrage opportunity – opening up the ability for savvy traders to purchase alETH at a steep discount. A trading robot noticed the opportunity and bought up the remaining alETH in the pool for a pittance – quickly selling them off for frxETH (another ETH derivative), which it then swapped for ETH, blockchain data shows.

The trading bot only netted 43 ETH from the transactions. Most of the profits from the trade went to the validator – in this case, Coinbase’s – that wrote the transaction into Ethereum’s ledger. The unusually large fee of 570 ETH, according to blockchain data, served as an incentive to persuade the validator to automatically prioritize the bot’s transaction ahead of others looking to make the same trade.

This controversial practice of strategically ordering blockchain transactions to profit off of spur-of-the-moment trading opportunities is called maximal extractable value (MEV). The alETH arbitrage fee marked the second-highest MEV payout for a single transaction in the Ethereum blockchain’s history, according to a report from Flashbots, a leading MEV firm.

Read more: Curve Debacle Triggers Transaction Frenzy, Sending Ethereum ‘MEV’ Rewards to Record High

Following a public bounty and an ultimatum, the Curve exploiter returned all $22 million worth of stolen ETH and alETH to Alchemix. White hats – good-faith actors that front-ran the hacker and drained the funds themselves before they could be stolen – also sent back $13 million worth of assets, CoinDesk reported.

Though they were not obligated to, a trading bot operator known as c0ffeebabe.eth returned 2,879 ETH – worth nearly $5.5 million – to Curve.

The arbitrage trading bot that profited from the alETH imbalance – the transaction Coinbase earned $1 million from – gave back its 43-ETH profit after the Alchemix team asked for it.

But Alchemix says Coinbase has not done likewise.

“It’s crazy,” pseudonymous blockchain sleuth Ogle, founder of Ogle Security Group that specializes in asset recovery from crypto thefts including the Curve exploit, said in a Telegram message. “I’ve tried negotiating with them and spoken on the phone, but they won’t return the funds even after admitting it’s stolen.”

“They are citing neutrality and decentralization and quoted some slippery slope arguments like saying they can’t be expected to prevent all crime on the blockchain, highways aren’t responsible for people that commit crimes on them, etc.,” said Ov3rkoalafied, an Alchemix contributor who also attended a call with Coinbase.

“It’s a bad analogy because they are not a public good, and they directly profit from these operations,” he added. “If someone uses your product for crime and you are unaware, you cannot be held responsible. But if you receive a report of a specific crime being committed and knowingly profit off it, you are expected to return those funds.”

UPDATE (Sept. 15, 2023, 16:45 UTC): Adds Nansen data in the fifth paragraph.