Following a significant security breach, Flamingo Finance has published a comprehensive post-mortem report detailing the recent exploitation of the Poly Network cross-chain CMCC bridge contract.
The incident, which took place on August 12, 2024, resulted in the theft of approximately $5 million worth of assets. This exploit specifically targeted the cross-chain bridge on the Neo N3 blockchain, leading to its temporary suspension.
In response to this breach, Flamingo Finance, in collaboration with Neo Global Development (NGD) and Poly Network, launched an extensive investigation and initiated recovery efforts.
The Poly Network cross-chain CMCC bridge contract was subject to an exploit on August 12, 2024. Our new article goes into what happened, what it means for you, and outlines the tentative Asset Support Initiative.
Read the article: https://t.co/09NoMMDOwH
— Flamingo Finance (@FlamingoFinance) August 20, 2024
Poly Network Exploit: $5 Million in Assets Compromised
On August 12, a vulnerability within the Poly Network CMCC contract was exploited by a hacker, resulting in the theft of around $4 to $5 million in assets.
The stolen assets represented about 20-25% of the total cross-chain funds, including popular tokens such as fUSDT, fWBTC, fWETH, fBNB, fCAKE, pWING, and pONT.
The hacker managed to drain funds from the bridge’s hot wallet, though the cold wallet remained secure, preventing an even larger loss.
In the wake of the breach, Flamingo Finance and its partners acted quickly to freeze any wallets associated with the hacker and began tracking the stolen assets.
Despite these efforts, the funds have not yet been recovered, although a bounty has been offered to encourage their return.
Flamingo Finance remains cautiously optimistic about the potential recovery of the stolen assets, though this outcome is uncertain.
The exploit has also had a notable impact on the value of cross-chain f- and p-assets on the Flamingo platform. Currently, these assets are trading at roughly 75-80% of the value of their unwrapped versions, reflecting the proportion of compromised funds.
The Asset Support Initiative: Steps Toward Recovery
In response to the losses, Flamingo Finance has launched the Asset Support Initiative, a detailed recovery plan designed to mitigate the impact on holders of the affected f- and p-assets.
At the heart of the Asset Support Initiative is the distribution of 40,000,000 FLOCKS tokens, which are equivalent to 40,000,000 FLM (valued at approximately $2.5 million), over a period of two years.
These tokens will be distributed to users who migrate their compromised f- and p-assets to a newly backed asset on the source chain, ensuring the restoration of the 1:1 peg and enhancing stability.
The migration process will allow users to swap their current cross-chain assets for new versions, fully backed by their unwrapped counterparts.
Additionally, users will receive FLOCKS tokens equivalent to 50% of their realized losses, paid out over 24 monthly installments.
This approach is designed to alleviate the financial impact of the breach and provide a way for users to recover some of their losses over time.
Flamingo Finance has also stated that if the stolen funds are recovered, the distribution of FLOCKS tokens will cease, and the assets will be returned to the affected users. Although the breach did not directly involve Flamingo Finance’s systems, the incident has still shaken user confidence.
It’s worth noting that this is not the first time Poly Network has been targeted. A significant exploit in June 2023 resulted in the loss of at least $600.3 million.
Additionally, another breach occurred earlier this month on the Ronin Network, leading to the theft of 3,996 Ether tokens, valued at approximately $9.8 million.
There is speculation that the recent breach might have been the work of a white hat hacker, who typically returns stolen assets after exposing security vulnerabilities. However, as the funds have not yet been returned, the hacker’s intentions remain unclear.
