Developer Linked to Curve Exploit by ZachXBT Is a Victim, Not a Hacker

The Web3 developer mentioned in the detective’s tweets about the crypto exchange hack was himself hacked in May 2023.

Hacker working on a computer
The developer is concerned about the impact of ZachXBT’s tweets on his reputation.

On August 5, famous blockchain detective ZachXBT reported an update on the JPEG’d exploit, which was the result of the reentrancy attack on the Curve liquidity pool on July 30. According to the sleuth, the hacker decided to cooperate with the JPEG’d team and return 5495 ETH for a 10% white hat bounty.

Read also: Security Incident Losses Exceed $400 Million in June

JPEG’d, "an experimental protocol bridging the gap between DeFi and NFTs," was one of the projects affected by the hack of the liquidity pool-based decentralized exchange Curve. The hacker exploited the reentrancy vulnerability in Vyper, a Pythonic contract-oriented programming language designed to interact with the Ethereum Virtual Machine (EVM). According to blockchain analytics firm CertiK, the exploit, which resulted in damage totaling almost $70 million, has been "the largest reentrancy attack so far in 2023."

Despite the seemingly positive outcome of the event, ZachXBT's Twitter posts have caused some confusion in the crypto community. The detective mentioned a Python library and Bancor network developer, who preferred to maintain his confidentiality, in a way that made some Twitter users assume the programmer could be responsible for the Curve exploit.

In his August 2 tweet, ZachXBT pointed to the developer and asked him to contact the JPEG’d team as soon as possible. "The JPEG’d team wishes to chat with you as your address is tied on-chain to the recent Curve Pool exploit," the detective wrote on his Twitter profile. The message sent to the Web3 developer specifically stated that the reason for the JPEG’d team contacting them was "to discuss a white hat bounty."

"Wow, you got him, I do not know how this developer feels when they try to rip off people and rectify the whole market," "You get a formal notice from ZachXBT," some of the crypto community members were apparently misled by ZachXBT’s post.

Although the on-chain sleuth claimed that neither he nor the JPEG’d team held the developer responsible for the hack, he felt that he was portrayed as an exploiter.

"We had to speak with him as he was tied on-chain. Nowhere did we state he was directly responsible. Tried reaching out before tweeting and did not get a reply back," ZachXBT explained in a tweet when his followers raised the issue of public accusations.

ZachXBT posted shortly after contacting the programmer, that "he reached out to the team and confirmed ownership of the addresses but claims his contract was exploited in May 2023." The detective confirmed that this version of the event was verified as true.

The programmer responded to the Twitter posts on his involvement in the exploit, "Hey, we spoke. One of my contracts was hacked by the same Curve exploiter, but that makes me another victim. This is the on-chain connection mentioned." The developer specifically asked ZachXBT to edit his original post, stressing that he "does not appreciate being blamed for something for no reason," and that he wants to preserve his reputation.

While ZachXBT may not have intended to blame the Web3 developer for the JPEG’d exploit, it did cause confusion.

"I will just say that the way you posted it seemed to me like you are saying he was the hacker, and it seems I am not the only one," Twitter user Cardinal Error stated in a post, whereas users Braavos Banker and Doug Sugma.eth emphasized how serious the impact of such accusations could be on one's life.

"So that gives you the right to simply doxx him and put his life in danger? 'We tried' then we decided to just sentence him in absentia because on-chain," Braavos Banker commented in ZachXBT's Twitter thread, adding that there is "a big difference between being a former victim and a criminal associate or hacker themself."

Read also: Total losses from hacks drop fourfold compared to 2022

Although ZachXBT emphasized in the update to the hack that the developer "is not the exploiter but was linked on-chain because a few of his contracts were drained by this person [the exploiter]," the detective's initial post created too strong an impression of the Web3 developer’s fault, and now many of ZachXBT’s followers are still convinced that the programmer is responsible for the hack. The fact that the identity of the hacker has not been disclosed contributes to the confusion even more.

Meanwhile, the JPEG’d team publicly thanked ZachXBT for his assistance in recovering the funds and promised to cease "any legal matters against the entity."

"We view this occurrence as a white-hat rescue, and as a result: 0x9d1ec3375252d4ab3c128f9774be266f67faa0bd will be rewarded with 10% of the rescued fund as a white-hat bounty from the JPEG'd team, which translates to 610.6 WETH," JPEG’d tweeted on August 4.