Optimism-based Exactly Protocol, which claims "to provide an autonomous fixed and variable interest rate market," announced a new bounty of $700,000 for "any information that results in the recovery of all stolen funds and the arrest of the attacker responsible for the protocol hack"
On August 19, the team behind Exactly Protocol disclosed the cause of the exploit. The vulnerability in the DebtManager periphery contract was manipulated. As a result, "the attacker passed in a malicious market contract address, bypassing the permit check, and executed a malicious deposit function to steal assets deposited by users."
According to the protocol's X (formerly Twitter) post on August 19, the fix was proposed the very next day after the exploit. It had already been approved and executed by the governance multisig.
Immediately after the hack, the protocol’s team tried to negotiate the possible steps with the attacker. It is possible that the company allocated funds for a white hat bounty in case the attacker would be willing to return the funds.
However, since the company now offers around 10% of the stolen funds as a reward for any information related to the attacker, in all likelihood, the conversation between the protocol's team and the exploiter did not take place.
In its another X post, Exactly Protocol clarified that if the team did not receive a response from the attacker by the end of August 22, the reward program for informants would go into effect today.
Exactly Protocol has partnered with the prominent on-chain analytics firm Chainalysis to track the funds lost to the exploit.