How the first hacker convicted of a smart contract attack was arrested

Author: @Web3Mario

Abstract

There were a lot of big events last week. The Federal Reserve relatively aggressively cut interest rates by 50 basis points, and the Bank of Japan remained on hold. This basically indicates that there will be no overly negative information in the next few weeks at least. There are already many articles analyzing the relevant information, so I will not go into details here. In this process, as long as you pay attention to two logics, you can grasp the risks relatively easily. The first is whether the job market will recover as expected, and the second is the risk of renewed inflation. In addition, there is a piece of news that attracted the author's attention. Nirvana Finance, a stable project on Solana, announced the restart of V2. This project was suspended after being hacked for more than 3.5 million US dollars in July 2022. I remember that I had learned that the hacker who attacked the project was convicted. The recent restart means that the relevant judicial institutions should have completed the transfer of the stolen funds, which means that the entire incident should be defined as the first case in the United States to be convicted of a smart contract attack. This is of symbolic significance to the maritime law system. From then on, the handling process of similar cases should be significantly improved. Therefore, I spent some time on the weekend to sort out the whole story of this case in detail and share it with you.  

Background of Nirvana Finance being attacked by flash loans 

I don't know how many friends know about this project. Here is a brief description of the background information of the whole incident. First of all, Nirvana Finance is an algorithmic stablecoin project on Solana, so I won't talk about it here. The project was launched in early 2022 and was hacked on July 28, 2022, stealing all the collateral of the stablecoin NIRV in the protocol, about $3.5 million. The details of the specific attack are also interesting. Since the contract of the project is not open source, hackers can still make profits with the help of Solend's flash loan function. At that time, the team also faced a lot of accusations of embezzlement.

In addition, before the theft, the project claimed that it had completed "automated audits", but in fact this did not work. Alex Hoffman, co-founder of the joint venture, described in an interview with Cointelegraph later that the team had already started the audit work in the week of the attack. According to him, in fact, he did not expect Nirvana Finance to receive such a large attention at the beginning of development until it attracted the attention of several Chinese news media, causing TVL to soar. This is understandable, of course. At that time, when Luna was in its heyday, the algorithmic stablecoin track naturally received widespread attention. After the success of the launch, Anatoly Yakovenko, then CEO of Solana, personally urged him to conduct a smart contract audit and tried to move it forward in the audit company's schedule. After the collateral was stolen, the project came to a standstill, but its Discord community has been maintained by official personnel. In the process, the community has been monitoring the stolen funds, but because the hacker finally chose tornado and Monero to isolate them, there was actually no gain in recovery. Things took a turn for the better on December 14, 2023. A senior software security engineer named Shakeeb Ahmed, who had worked at Amazon, pleaded guilty in the Southern District Court of New York to a computer fraud charge related to the hacking of Nirvana Finance and an unnamed decentralized cryptocurrency exchange. The U.S. Attorney's Office also said that this was the first case ever to be convicted of a hacking smart contract.

Of course, the founder did not stop after the project was attacked, and turned to develop other projects, superposition finance and concordia systems. This is also the benefit of maintaining a certain anonymity, at least Fud will not be transferred. Then the case was sentenced on April 15, 2024, and Shakeeb Ahmed was sentenced to three years in prison for hacking and defrauding two cryptocurrency exchanges. Then on June 6, the stolen funds were transferred back to the team's designated account, which means that the stolen funds of the project have been officially recovered.  

In fact, the source of the whole case should be Crema Finance, and Nirvana Finance was locked after the hacker was captured and confessed. 

In fact, the 34-year-old software security engineer was a senior security engineer at an international technology company at the time of the attack, specializing in smart contracts and blockchain audits. And he is proficient in software reverse engineering, which explains why Nirvana was attacked before it was open source. The so-called reverse engineering is to use some decompilation software to reverse some compiled execution codes back to the high-level language before compilation, so that it is human-readable. Although the corresponding contract is not open source, in fact all the compiled codes of the smart contract are stored on the chain, and developers who are proficient in this technology can easily obtain it.

According to the documents later released by the U.S. Department of Justice, the source of the entire case was a decentralized exchange that was attacked in July 2022 and lost $9 million. By comparison, it should be Crema Finance. On July 4, 2022, Shakeeb Ahmed also attacked the platform through flash loans, and proposed a "white hat bounty" of $2.5 million to redeem other user assets and give up the prosecution of hackers. In the end, Crema Finance announced that it agreed to accept a "white hat bounty" of about $1.68 million.

And the document describes that Nirvana Finance was actively confessed after the hacker was captured and locked. In the evidence of Shakeeb Ahmed's conviction, in addition to redeeming the browsing history of web pages in his personal computer and finding some related content, it also describes that after launching these attacks, he used many means, including some mixing protocols, Tornado and Monero to confuse. So this raises an interesting question, what did Shakeeb Ahmed do that led to his eventual arrest?  

There may be two answers. First, according to SolanaFM's analysis at the time of the attack, the attacker either interacted with the Huobi exchange address or with the nested exchange address associated with Huobi. Because the initial funds of the attack address came from this. Secondly, it is the misuse of Tornado Cash. Since Tornado Cash's ability to obfuscate funds is related to the time it is deposited and lasts, the degree of obfuscation will only increase if it is deposited for a long enough time and there are more redemption transactions during this period. Shortly after the attack, Ahmed deposited funds into Tornado and a redemption transaction occurred within a short period of time, and the redeemed funds eventually entered the centralized exchange Gemini. This seems to indicate that the judicial authorities located Shakeeb Ahmed and eventually arrested him in New York by cooperating with the above two centralized exchanges.  

In any case, the recovery of stolen funds is a good thing, and this also reflects two problems. First of all, for DApp developers, fund security is a dimension that must be considered. Secondly, there is now a blueprint for handling such cases, which should have a certain deterrent effect on related behaviors.