Flamingo Finance Addresses Poly Network Exploit: $5 Million in Stolen Funds
In the wake of a significant security breach, Flamingo Finance has published a comprehensive post-mortem report regarding the recent exploitation of the Poly Network cross-chain CMCC bridge contract. The breach, occurring on August 12, 2024, resulted in the misappropriation of roughly $5 million in assets, impacting the Neo N3 blockchain's cross-chain bridge and leading to its operational suspension.
Following the breach, an extensive investigation and a sequence of recovery initiatives have been initiated by Flamingo Finance in conjunction with Neo Global Development (NGD) and Poly Network.
Poly Network Exploit: $5 Million Stolen Funds
The breach targeted the Poly Network CMCC contract, enabling the hacker to exploit vulnerabilities in the smart contract and syphon off approximately $4 to $5 million in assets. The stolen funds comprised roughly 20-25% of all cross-chain asset funds and included popular tokens such as fUSDT, fWBTC, fWETH, fBNB, fCAKE, pWING, and pONT.
The funds were extracted from the bridge's hot wallet, while the cold wallet remained secure, mitigating the potential loss. In response to the breach, Flamingo Finance and its partners swiftly froze any wallets associated with the exploit and launched an investigation to trace the misappropriated assets.
Despite concerted efforts, the hacker has not yet returned the funds, although a bounty has been proposed to incentivize their return. Flamingo Finance remains optimistic about the potential recovery of the assets, albeit without guarantee.
As a direct consequence of the exploit, the value of cross-chain f- and p-assets on the Flamingo platform has been significantly affected, currently trading at approximately 75-80% of their unwrapped versions' value, reflecting the compromised funds.
The Asset Support Initiative: A Path to Recovery
In response to the breach, Flamingo Finance has introduced the Asset Support Initiative, a comprehensive recovery strategy to alleviate losses suffered by holders of the affected f- and p-assets. The core element of the initiative involves the distribution of 40,000,000 FLOCKS tokens, equivalent to 40,000,000 FLM (valued at approximately $2.5 million), over a two-year period.
These tokens will be allocated to users who transition their impacted f- and p-assets to a new asset fully backed on the source chain, ensuring a restored peg and enhanced stability. The migration process enables users to exchange their current cross-chain assets for new versions pegged 1:1 with their unwrapped counterparts.
Furthermore, users will receive FLOCKS tokens equating to 50% of their realized losses, distributed over 24 monthly installments. This gradual compensation approach aims to soften the financial impact and provide users with an avenue to recover portions of their losses gradually.
Flamingo Finance has stipulated that should the pilfered funds be recuperated, payments in FLOCKS tokens will cease, and the assets will be returned to impacted users, despite the breach not involving their systems but still eroding user confidence.
It's worth noting that this incident is not the inaugural attack on Poly Network; a substantial exploit was also recorded in June 2023, with Poly Network losing at least USD 600.3 million in funds.
Similarly, this recent attack is not an isolated case this month. The Ronin Network encountered a similar security breach, resulting in the loss of 3,996 Ether tokens valued at around $9.8 million. The motivation behind the hacker's actions remains uncertain, with speculations suggesting the possibility of a white hat hacker responsible, who typically returns stolen assets after highlighting security vulnerabilities.
