A former Amazon engineer this week pleaded guilty to hacking two cryptocurrency exchanges in a landmark case that resulted in the first ever conviction involving the hacking of a smart contract.
Shakeeb Ahmed, who previously worked as a security engineer for Amazon, will face up to five years in prison and will have to forfeit $12.3 million worth of stolen cryptocurrency, according to a statement from the United States Attorney for the Southern District of New York.
The hacks, which took place in 2022, targeted Nirvana Finance and a second unnamed crypto exchange on the Solana blockchain.
Blockchain is essentially a digital ledger allowing users to store data, including financial transactions, in a decentralized environment. One benefit to blockchain is security because the stored data cannot be edited.
Ahmed exploited a vulnerability in the exchange’s smart contracts, according to the US Attorney, allowing him to submit falsified data that resulted in the contracts generating millions of dollars worth of inflated fees he hadn’t earned.
What are smart contracts?
Smart contracts are blockchain programs that, like a vending machine, execute specified functions when predetermined conditions are met. For example, a landlord leasing an apartment could use a smart contract in which the renter must transfer a security deposit to receive the apartment door code.
Ahmed was able to reverse engineer the steps needed to make the exchanges pay out massive sums by using specialized skills he developed working for Amazon, according to the US Attorney.
Ahmed then attempted to cover his tracks by negotiating with the unnamed crypto exchange. He said he’d agree to return all of the stolen funds, less $1.5 million if the exchange agreed not to contact law enforcement about the hack, prosecutors said.
After hacking the first exchange, Ahmed targeted Nirvana’s cryptocurrency, ANA, exploiting a function of the cryptocurrency intended to inflate each token’s price after a large sum was purchased. Using a workaround in Nirvana’s smart contract, Ahmed could buy $10 million worth of ANA tokens at an artificially lowered price and sell them for $3.6 million in profit.
“Nirvana offered AHMED a ‘bug bounty’ of as much as $600,000 to return the stolen funds, but AHMED instead demanded $1.4 million, did not reach agreement with Nirvana, and kept all the stolen funds,” according to the US Attorney statement. “The $3.6 million AHMED stole represented approximately all the funds possessed by Nirvana, which as a result shut down shortly after AHMED’s attack.”
Ahmed stole over $12 million and “tried to cover his tracks by swapping stolen crypto for Monero, using cryptocurrency mixers, hopping across blockchains, and utilizing overseas crypto exchanges,” US Attorney Damian Williams said in a statement.
Representatives for the United States Attorney for the Southern District of New York did not immediately respond to a request for comment from Business Insider.
In theory, the benefit of a smart contract is to eliminate the risk of fraud by a middleman or, say, a broker. However, the program has been vulnerable to attacks by hackers.
About $2.2 billion in cryptocurrency was stolen in 2022 from Decentralized Finance (DeFi) projects, allowing people to carry out financial transactions without needing third parties or financial institutions such as banks.
The New York Times reported that many of the thefts were carried out by taking advantage of vulnerabilities in smart contracts. Since smart contracts are built upon open-source code, hackers can make themselves aware of the inner workings of the software and take advantage of any vulnerabilities.