Flamingo Finance Shares Post-Mortem for $5M Poly Network Exploit and Recovery Efforts
In the aftermath of a massive security breach, Flamingo Finance released a detailed post-mortem report on August 20, addressing the recent exploit of the Poly Network cross-chain CMCC bridge contract.
The incident, which occurred on August 12, 2024, resulted in the theft of approximately $5 million in assets, affecting the Neo N3 blockchain’s cross-chain bridge and suspending its operations.
The event has led to an intensive investigation and a series of recovery efforts led by Flamingo Finance in collaboration with Neo Global Development (NGD) and Poly Network.
Poly Network Exploit: $5 Million Stolen Funds
The breach 12 targeted the Poly Network CMCC contract, allowing the hacker to exploit vulnerabilities in the smart contract and siphon off around $4 to $5 million in assets.
The stolen funds comprised roughly 20-25% of all cross-chain asset funds and included popular tokens such as fUSDT, fWBTC, fWETH, fBNB, fCAKE, pWING, and pONT.
The funds were taken from the bridge’s hot wallet, while the cold wallet remained secure, preventing an even greater loss.
Flamingo Finance and its partners swiftly responded to the breach by freezing any wallets linked to the exploit and launching an investigation to trace the stolen assets.
Despite these efforts, the hacker has not yet returned the funds, though a bounty has been offered to incentivize their return.
Flamingo Finance is hopeful that the assets can be recovered, although this outcome is not guaranteed.
As a direct consequence of the exploit, the value of cross-chain f- and p-assets on the Flamingo platform has been heavily impacted.
These assets are currently trading at approximately 75-80% of their unwrapped versions’ value, reflecting the portion of funds that were compromised.
The Asset Support Initiative: A Path to Recovery
Flamingo Finance has introduced the Asset Support Initiative, a comprehensive recovery plan to mitigate the losses incurred by holders of the affected f- and p-assets.
The cornerstone of the Asset Support Initiative is the distribution of 40,000,000 FLOCKS tokens, equivalent to 40,000,000 FLM (valued at approximately $2.5 million), over two years.
These tokens will be compensated to users who migrate their affected f—and p-assets to a new asset fully backed on the source chain, ensuring a restored peg and greater stability.
The migration process is designed to allow users to exchange their current cross-chain assets for new versions that are pegged 1:1 with their unwrapped counterparts.
In addition to the new assets, users will receive FLOCKS tokens equivalent to 50% of their realized losses, spread over 24 monthly payments.
This gradual compensation aims to reduce the financial blow and offer users a way to recoup some of their losses over time.
Flamingo Finance stated that if the stolen funds are recovered, FLOCKS token payments will stop, and the assets will be returned to affected users, despite the breach not involving their systems but still impacting user confidence.
Notably, this is not the first attack on Poly Network; a major exploit was also reported in June 2023, and Poly Network lost at least USD 600.3m of its funds.
This latest attack is not the first this month. The Ronin Network also experienced a similar security breach, resulting in the loss of 3,996 Ether tokens, valued at around $9.8 million.
Speculation suggests that the breach might have been conducted by a white hat hacker, who typically returns stolen assets after exposing security flaws; however, the funds have not yet been returned, leaving the hacker’s intentions unclear.