Nirvana Finance Reboot: The First Conviction Case Triggered by Smart Contracts Attack

Many important events occurred last week, among which the relatively aggressive interest rate cut decision by the Federal Reserve and the Bank of Japan's inaction indicate that excessive negative information is unlikely to appear in the short term. The market has already discussed these macroeconomic trends extensively, and this article will not elaborate further. It is worth noting that investors should mainly focus on two key factors: the recovery of the labor market and the risk of inflation re-igniting.

However, a notable piece of news is that the algorithmic stablecoin project Nirvana Finance in the Solana ecosystem has announced the restart of its V2 version. The project was forced to suspend operations after suffering a hacker attack in July 2022, resulting in losses of over $3.5 million. The current restart indicates that the relevant judicial authorities may have completed the handling of the stolen funds. This incident could become the first case in the United States to result in a conviction due to a smart contracts attack, which holds significant implications for common law countries, and the handling processes for similar cases in the future are expected to improve significantly.

Background of Nirvana Finance's flash loan attack

Nirvana Finance is an algorithmic stablecoin project on the Solana blockchain. The project launched in early 2022 but suffered a hack on July 28 of the same year, resulting in the theft of all collateral (approximately $3.5 million) for its stablecoin NIRV. Although the project contracts were not open-source, the attacker successfully executed the attack using the flash loan feature of a certain lending platform, which also raised some speculation about internal involvement.

It is worth mentioning that the project claimed to have completed "automated audits" before being attacked, but it proved that this approach was unreliable. Project co-founder Alex Hoffman stated in a media interview that the team had just begun formal audit work the week the attack occurred. He admitted that they initially did not anticipate the project would attract such widespread attention until some media reports led to a significant increase in the total value locked (TVL). This situation was not uncommon against the backdrop of the algorithmic stablecoin sector being in the spotlight at that time.

After the project achieved initial success, the CEO of a certain blockchain platform personally urged the team to conduct smart contracts audits and attempted to expedite the audit process. However, after the collateral was stolen, the project came to a standstill, although its community platform still had official personnel maintaining it.

The entire event took a turn on December 14, 2023, when Shakeeb Ahmed, a former senior software security engineer at a tech giant, admitted to computer fraud charges related to a hacking incident involving Nirvana Finance and another decentralized cryptocurrency exchange in the Southern District Court of New York. The U.S. Attorney's Office stated that this is the first case to be convicted due to a hacking attack on smart contracts.

The project's founders did not stop innovating after being attacked, but instead developed other projects, such as superposition finance and concordia systems. This also reflects the advantage of maintaining a certain level of anonymity, which at least avoids the spread of negative sentiment.

On April 15, 2024, the case reached a verdict, with Shakeeb Ahmed being sentenced to three years in prison for hacking and defrauding two cryptocurrency exchanges. Subsequently, on June 6, the stolen funds were returned to the designated account, marking the official recovery of the stolen project funds.

The source of the case: from Crema Finance to Nirvana Finance

In fact, the source of this case should be another decentralized exchange, Crema Finance. Nirvana Finance was voluntarily disclosed after the hacker was arrested.

Shakeeb Ahmed, a 34-year-old software security engineer, was a senior security engineer at an international technology company during the attack, specializing in smart contracts and blockchain auditing. He is proficient in software reverse engineering, which explains why Nirvana's non-open-source contracts were attacked. Reverse engineering techniques allow compiled execution code to be converted back into human-readable high-level languages; although the contracts are not open source, all compiled code is stored on the blockchain, making it easy for developers familiar with this technology to access.

According to documents released by the U.S. Department of Justice, the entire case originated from the decentralized exchange Crema Finance, which was attacked in July 2022 and lost approximately $9 million. On July 4, 2022, Ahmed launched a flash loan attack on the platform and offered a $2.5 million "bug bounty" in exchange for the return of other users' assets and the abandonment of prosecution. Ultimately, Crema Finance agreed to accept a bounty of approximately $1.68 million.

The attack on Nirvana Finance was actively confessed after Ahmed's arrest. In addition to investigating his personal computer browsing history, the documents also describe how he used various methods, including coin mixing protocols, privacy coins, etc., to obscure the flow of funds.

So, how was Ahmed ultimately captured? There are two possible explanations:

1. According to the on-chain analysis at the time of the attack, the attacker interacted with a certain centralized exchange address, as the initial funds of the attack address originated from there.

2. Ahmed may have made a mistake while using a certain privacy protocol. The obfuscation effect of this protocol is related to the time of fund deposits and the number of redemption transactions that occurred during that period. Ahmed deposited funds into the protocol soon after the attack and quickly made a redemption, ultimately leading the funds to flow into another centralized exchange.

These clues suggest that law enforcement may have collaborated with these centralized exchanges to ultimately arrest Ahmed in New York.

Regardless, the recovery of stolen funds is a positive outcome. This case highlights two key issues: first, DApp developers must prioritize the security of funds; second, there is now a reference template for handling such cases, which may serve as a deterrent for similar actions.