Solana Algorithmic Stablecoin Project Restart: The Origins and Developments of the First Smart Contracts Attack Conviction Case

Last week, the financial markets were active, with the Federal Reserve announcing a 50 basis point rate cut and the Bank of Japan maintaining its current policy. These measures suggest that there may not be significant negative news in the short term. There have already been many analyses on this topic, so I won't elaborate further. Investors only need to focus on two key points: whether the job market recovers as expected and the risk of inflation reigniting.

It is worth noting that the algorithmic stablecoin project Nirvana Finance in the Solana ecosystem recently announced the relaunch of its V2 version. The project was forced to suspend operations after suffering a hack in July 2022, resulting in losses of over $3.5 million. It is reported that the hacker who attacked the project has been convicted, and the project's relaunch indicates that relevant judicial authorities may have completed the handover of the stolen funds. This could become the first case in the U.S. where a conviction has been made due to a smart contract attack, which would have significant implications for common law systems, and the handling processes for similar cases in the future are expected to be significantly improved.

Review of the Flash Loan Attack Incident on Nirvana Finance

Nirvana Finance is an Algorithmic Stablecoin project on Solana that launched in early 2022. On July 28, 2022, the project suffered a hacking attack, and all collateral for the stablecoin NIRV (approximately $3.5 million) was stolen. Although the project contracts were not open-source, the hacker was able to profit by successfully utilizing Solend's flash loan feature, which raised questions about the project team.

It is worth mentioning that the project claimed to have completed "automated audits" before the attack, but it proved to be ineffective. Co-founder Alex Hoffman stated in a media interview that the team had just started the audit work in the week the attack occurred. He admitted that they did not initially anticipate the project would attract such widespread attention until some media reports led to a significant increase in TVL. At that time, the algorithmic stablecoin sector was under the spotlight, and Solana CEO Anatoly Yakovenko had personally urged for a smart contracts audit.

After the funds were stolen, the project came to a standstill, but its community remained active. Community members continuously monitored the movement of the stolen funds, but tracking efforts have not made substantial progress due to the hacker's use of privacy tools such as Tornado and Monero.

On December 14, 2023, the case took a turn. A former senior software security engineer at Amazon named Shakeeb Ahmed pleaded guilty in the Southern District of New York court to computer fraud charges related to the hacking of Nirvana Finance and another decentralized cryptocurrency exchange. The U.S. Attorney's Office stated that this is the first case to be convicted due to a hack of smart contracts.

The project founder did not stop innovating after encountering an attack, but instead developed new projects such as superposition finance and concordia systems. On April 15, 2024, Shakeeb Ahmed was sentenced to three years in prison for hacking and defrauding two cryptocurrency exchanges. On June 6, the stolen funds were transferred back to the project's designated account, marking the official recovery of the funds.

Reveal of the Case Source and Hacker Identity

In fact, the entire case originated from Crema Finance, and Nirvana Finance was locked after the hacker was arrested and actively confessed. Shakeeb Ahmed is a 34-year-old software security engineer who previously worked as a senior security engineer at an international technology company, specializing in smart contracts and blockchain auditing. He is proficient in software reverse engineering, which explains why Nirvana was attacked even though it was not open-source. Reverse engineering techniques can restore compiled execution code back to human-readable high-level language. Although the contract was not open-source, developers skilled in this technique can still analyze it through the compiled code stored on-chain.

Documents released by the U.S. Department of Justice show that the case originated from a decentralized exchange that suffered a loss of about $9 million due to an attack in July 2022, suspected to be Crema Finance. On July 4, 2022, Ahmed launched a flash loan attack on the platform and offered a "white hat bounty" of $2.5 million in exchange for dropping the prosecution. Ultimately, Crema Finance agreed to accept a "bounty" of about $1.68 million.

Nirvana Finance was locked down after Ahmed voluntarily confessed following his arrest. The conviction evidence includes his personal computer browsing history, as well as activities involving fund obfuscation using mixing protocols, Tornado, and Monero.

There are two possible reasons for Ahmed's eventual arrest: one is that the attacker interacted with a specific exchange address; the other is a mistake in the use of Tornado Cash. The obfuscation effect of Tornado Cash is related to the time funds are deposited and the number of redemption transactions that occur during that period. Ahmed redeemed funds from Tornado and transferred them to the Gemini exchange shortly after the attack, which may have provided clues to law enforcement.

Overall, the recovery of stolen funds is a positive signal. This case reflects that DApp developers must pay attention to the issue of fund security, while also providing a reference for handling similar cases, which is expected to play a deterrent role against related criminal activities.