Nirvana Finance Rebooted on Solana: The First Case Convicted Due to a Smart Contract Attack

Many significant events occurred last week, including the Federal Reserve cutting interest rates and the Bank of Japan maintaining its interest rates. These decisions suggest that there is little likelihood of overly bearish information in the coming weeks. However, one noteworthy piece of news is that the algorithmic stablecoin project Nirvana Finance on Solana announced the restart of its V2 version. The project was forced to suspend operations after suffering a hack in July 2022, resulting in losses of over $3.5 million.

This case is significant because it may be the first in the United States to result in a conviction due to a smart contracts attack. This is a milestone for common law systems and is expected to significantly improve the handling of similar cases.

Background of Nirvana Finance's Flash Loan Attack

Nirvana Finance is an algorithmic stablecoin project on the Solana blockchain. The project launched in early 2022, but was hacked on July 28 of the same year, resulting in the theft of all collateral for its stablecoin NIRV (approximately $3.5 million). Although the project's smart contracts are not open source, the hacker still exploited Solend's flash loan feature to carry out the attack, which raised some questions about the team.

It is worth noting that the project claimed to have completed "automated auditing" before being attacked, but this clearly did not have the intended effect. Co-founder Alex Hoffman revealed in a media interview that the team had just started the auditing work the week the attack occurred. He admitted that they initially did not anticipate the project would attract such significant attention until some media reports led to a sharp increase in the total value locked (TVL).

After the project achieved initial success, the CEO of a well-known blockchain platform personally urged for a smart contracts audit and attempted to expedite the scheduling with the auditing company. However, after the collateral was stolen, the project came to a standstill, with only social media channels still being maintained.

Turning Point of the Case

The situation took a turn on December 14, 2023. Shakeeb Ahmed, a former senior software security engineer at a large tech company, pleaded guilty in the Southern District Court of New York to computer fraud charges related to the hack of Nirvana Finance and another decentralized cryptocurrency exchange. The prosecutor's office stated that this is the first case resulting in a conviction for a hack of smart contracts.

On April 15, 2024, Ahmed was sentenced to three years in prison for hacking and defrauding two cryptocurrency exchanges. Subsequently, on June 6, the stolen funds were transferred back to the project's designated account, marking the official recovery of the funds.

The Root and Details of the Case

In fact, the source of this case should be an attack suffered by another decentralized exchange in July 2022, resulting in a loss of approximately $9 million. Ahmed attacked the platform through a flash loan and proposed a $2.5 million "white hat bounty" in exchange for dropping the prosecution. Ultimately, the platform agreed to accept a bounty of about $1.68 million.

The case of Nirvana Finance was actively disclosed after Ahmed's arrest. In addition to investigating his personal computer's browsing history, it was found that he used various methods, including coin mixing protocols, certain anonymization tools, and privacy coins to cover his tracks.

There may be two reasons for Ahmed's arrest: first, the attacker interacted with certain exchange addresses. Second, he made a mistake while using anonymization tools, quickly redeeming funds after depositing them, and the redeemed funds ultimately ended up in a centralized exchange. These clues may assist law enforcement in capturing him in New York by cooperating with the relevant exchanges.

The successful resolution of this case is not only good news but also reflects two important issues: First, for decentralized application developers, the security of funds must be a primary consideration. Second, there is now a reference template for handling such cases, which may have a certain deterrent effect on similar actions.