Original author: @Web3 Mario (https://x.com/web3_mario)
Abstract: There were a lot of big events last week. The Federal Reserve cut interest rates by 50 basis points relatively aggressively, and the Bank of Japan remained on hold. This basically indicates that there will be no excessively negative information in the next few weeks. There are already many articles on related analysis, so I will not repeat them here. In this process, as long as you pay attention to two logics, you can grasp the risks relatively easily. One is whether the job market recovers as expected, and the other is the risk of inflation rekindling. In addition, there is a piece of news that attracted the authors attention. Nirvana Finance, a stable project on Solana, announced the restart of V2. This project was suspended after being hacked for more than 3.5 million US dollars in July 2022. I remember that I had learned that the hacker who attacked the project was convicted before, and the recent restart means that the relevant judicial institutions should have completed the transfer of the stolen funds, which means that the entire incident should be defined as the first case in the United States to be convicted for smart contract attacks. This is of symbolic significance to the maritime law system. From then on, the handling process of similar cases should be significantly improved. Therefore, I spent some time over the weekend to sort out the whole process of this case in detail and share it with you.
Background of Nirvana Finance’s flash loan attack
I don’t know how many of you know about this project, so let me briefly describe the background information of the whole incident. First of all, Nirvana Finance is an algorithmic stablecoin project on Solana, which I will not elaborate on here. This project was launched in early 2022 and was hacked on July 28, 2022, and all the collateral of the stablecoin NIRV in the protocol was stolen, about 3.5 million US dollars. The details of the specific attack are also very interesting. Since the contract of the project is not open source, hackers can still make profits with the help of Solend’s flash loan function. At that time, the team also faced a lot of accusations of embezzlement.
In addition, before the theft, the project claimed that it had completed an automated audit, but in fact this did not work. In a later interview with Cointelegraoh, Alex Hoffman, co-founder of Solana, described that the team had already started the audit work in the week of the attack. According to him, in fact, he did not expect Nirvana Finance to receive so much attention at the beginning of development, until it attracted the attention of several Chinese news media, causing TVL to soar. This is of course understandable. At that time, when Luna was in its heyday, the algorithmic stablecoin track naturally received widespread attention. After the success of the launch, Anatoly Yakovenko, the CEO of Solana at the time, also personally urged him to conduct a smart contract audit and tried to move it forward in the audit companys schedule.
After the collateral was stolen, the project came to a standstill, but its Discord community has been maintained by official personnel. During this process, the community has been monitoring the stolen funds, but because the hacker eventually chose tornado and Monero to isolate them, there was actually no gain in recovering them. Things took a turn for the better on December 14, 2023, when a senior software security engineer named Shakeeb Ahmed, who had worked at Amazon, pleaded guilty in the Southern District Court of New York to a computer fraud charge related to the hacking of Nirvana Finance and an unnamed decentralized cryptocurrency exchange. The U.S. Attorneys Office also stated that this was the first case ever to be convicted for hacking a smart contract.
Of course, the founder did not stop after the project was attacked, and turned to develop other projects, superposition finance and concordia systems. This is also the benefit of maintaining a certain degree of anonymity, at least Fud will not be transferred. Then the case was sentenced on April 15, 2024, and Shakeeb Ahmed was sentenced to three years in prison for hacking and defrauding two cryptocurrency exchanges. Then on June 6, the stolen funds were transferred back to the teams designated account, which means that the stolen funds of the project have been officially recovered.
In fact, the source of the entire case should be Crema Finance, and Nirvana Finance was targeted after the hacker was captured and confessed.
In fact, the 34-year-old software security engineer was a senior security engineer at an international technology company at the time of the attack, specializing in smart contracts and blockchain auditing. He is also proficient in software reverse engineering, which explains why Nirvana was attacked before it was open source. Reverse engineering is the use of some decompilation software to reverse some compiled executable code back to the high-level language before compilation, so that it is human-readable. Although the corresponding contract is not open source, in fact all the compiled codes of the smart contract are stored on the chain, and developers who are proficient in this technology can easily obtain it.
According to documents later released by the U.S. Department of Justice , the source of the entire case was a decentralized exchange that was attacked in July 2022 and lost $9 million. Through comparison, it was judged to be Crema Finance. On July 4, 2022, Shakeeb Ahmed also attacked the platform through flash loans, and proposed a white hat bounty of $2.5 million to redeem other user assets and give up prosecution of the hacker. In the end, Crema Finance announced that it agreed to accept a white hat bounty of approximately $1.68 million.
The document states that Nirvana Finance was targeted after the hacker was captured and voluntarily disclosed. In the evidence for Shakeeb Ahmeds conviction, in addition to redeeming the browsing history of web pages on his personal computer and finding some relevant content, it also describes that after launching these attacks, he used many means, including some currency mixing protocols, Tornado and Monero to confuse. This raises an interesting question: what did Shakeeb Ahmed do to eventually get arrested?
There may be two answers. First, according to SolanaFMs analysis at the time of the attack, the attacker either interacted with the Huobi exchange address or interacted with the nested exchange address associated with Huobi. Because the initial funds of the attack address came from this. Secondly, it was the mistake in using Tornado Cash. Since Tornado Cashs ability to confuse funds is related to the time it is deposited and lasts, the degree of confusion will only increase if it is deposited for a long enough time and there are more redemption transactions during this period. Shortly after the attack, Ahmed deposited funds into Tornado and a redemption transaction occurred within a short period of time, and the redeemed funds eventually entered the centralized exchange Gemini. This seems to indicate that the judicial authorities cooperated with the above two centralized exchanges to locate Shakeeb Ahmed and eventually arrested him in New York.
In any case, the recovery of stolen funds is a good thing, and this also reflects two issues. First, for DApp developers, fund security is a dimension that must be considered. Secondly, such cases now have a blueprint for handling, which should have a certain deterrent effect on related behaviors.