From October 2020 to March 2023, there were 25 incidents in the Web 3.0 space where lost funds were recovered or partially recovered after an attack.

Across these 25 incidents, the stolen funds totaled approximately $1.35 billion, of which $992 million was returned (73%).

The return of stolen funds we've all heard about this year:Euler Finance, Allbridge, and Sentiment Protocol, all three projects successfully negotiated with the attackers.

But in fact, this situation is in a continuous gray area - the attackers are neither white hat hackers clearly defined to participate in bug bounty programs, nor black hat hackers who are purely stealing assets, we can call them As "gray hat hackers" to distinguish and analyze.

Malicious exploitation of vulnerabilities has plagued Web3.0 for many years. The targets of these malicious security incidents are often agreements, smart contracts, and software-based applications, such as self-hosted wallets, and the result is usually that hackers "succeed". Absconding with money.

However, there are already a growing number of protocols that can successfully negotiate with attackers and negotiate the return of funds.

CertiK compiled data for 25 protocols that were exploited and then returned funds between October 2020 and mid-March 2023:

☞ Approximately $1.35 Billion in Funds Stolen

☞ A total of approximately $992 million (73%) of funds were returned

☞ Approximately $314.5 million (23.1%) of funds were retained by attackers

☞ About 3.9% of the remaining funds were lost or frozen in the process

So far in 2023, approximately $188 million (84.8%) of the eight major exploits resulting in approximately $221.5 million in stolen assets have been refunded.

Some unreturned funds were held back as white hat bounties to draw attention to protocol vulnerabilities.

Other instances of unreturned funds originated in part at the attacker's request.

Of those 25 agreements, four were fully returned.

Attackers approach the issue of returning stolen funds differently. Some of them returned all of the stolen funds, while others returned some or refused to do so.

Due to the initially malicious nature of these exploits and the fact that some attackers changed their minds after negotiating with victims, we classify these incidents as gray hat situations.

After Cashio.App experienced an incident in which $50 million was stolen by attackers, they eventually returned the funds to investors who had less than $100,000 in their accounts, with the rest allegedly donated to charity.

Mango MarketThe situation in the case is more special: the attacker Avraham Eisenberg stole a total of 117 million US dollars from the agreement, and finally returned about 67 million US dollars, but he claimed that his actions were legal-"just a high-profit trading strategy" . Despite the agreement with Mango Market, Avraham Eisenberg was later sued by the SEC for orchestrating the attack on Mango Market.

The Web 3.0 currency industry has been suffering from an increasing number of exploits and hacks over the past few years. But the protocol appears to be attempting to enter deeper negotiations with the attackers in hopes of recovering a large amount of stolen funds.

Typically, these negotiations take place in public places (such as social media or on-chain messages between attackers and victims) — leaving messages for anonymous hackers in the transaction is often the only way to get in touch with them.

Such a trend could indicate a growing shift in the Web 3.0 industry, with protocols and investors becoming less risky and more secure, especially as projects create market incentives to push attackers into negotiations. case.

To further explore this possibility, we wanted to examine the different negotiation strategies employed by victims by analyzing these public negotiations and their final outcomes.

secondary title

Poly Network

On August 10, 2021, hackers usedPoly NetworkA bug in the code stole funds from more than a dozen different Web 3.0 currencies, totaling losses of over $610 million. On the same day, Poly Network contacted the hacker directly through the information on the chain, asking them to get in touch with him.

The final agreement proposed that a bounty be awarded to the hacker if the funds were returned. Poly Network also published an open letter to hackers on Twitter, saying that "law enforcement in any country will treat this as a major economic crime, and you will be held accountable." At the end of the incident, Poly Network even praised the hackers, saying they "hope to be remembered as the largest white hat hackers in history."

But the hacker responded that before he could reply to Poly Network in the first place, the protocol was having investors and others urging and berating them when they had no intention of laundering the stolen funds. Not only that, but during this process, hackers are still communicating with Poly Network through transaction notes, saying that they intend to start by returning altcoins and ask if the stolen USDT can be unfrozen. If they are successfully unfrozen, they will return the stolen USDT. USDC.

Poly Network did not respond to the question, which should have been the right move, as the hackers began returning funds to three Poly Network addresses the next day.

The hackers later messaged that they would provide the final keys to the multi-signature wallet they used to return the funds.

The hackers eventually returned all the stolen assets that were sent to the multisig account.

With the exception of $33 million worth of USDT that was frozen by Tether, most of the lost funds were returned to Poly Network.

In return, Poly Network paid a bug bounty of 160 ETH (approximately $486,000) to a separate account created by the hacker. But the hacker returned the bounty to Poly Network and demanded that the fee be distributed to those affected investors.

copy Link【https://heystacks.com/doc/977/polynetwork-and-hacker-communicatesecondary title

Allbridge

On April 1, 2023, Allbridge suffered an attack targeting its BUSD/USDT pool on the BNB Chain. The project initially said the attack only affected those BNB Chain pools, but the vulnerability could extend to other pools. To prevent this, Allbridge discontinued their bridge platform and created a web interface for liquidity pool operators to withdraw balances.

Like Poly Network, Allbridge announced shortly after the attack that it would offer a bounty to the hackers, adding that if the stolen funds were returned, the hackers would be immune from any legal consequences. On April 3, the team announced that it had received information from the attackers, and 1,500 BNB (~$465,000) was returned to the project. About $108,000 worth of assets remain in the hands of the hackers.

secondary title

Euler Finance 

Euler FinanceThe hack is the largest exploit of a vulnerability so far in 2023.

On March 13, 2023, Euler Finance's fund pool was attacked by a flash loan, and the total loss was about 197 million US dollars.

As in the Poly Network and Allbridge cases, Euler Finance offered a 10% bounty to the attacker if the attacker returned the remaining assets.

However, the project has taken a more aggressive approach to its negotiating tactics, issuing a bounty announcement with a warning: If the attacker does not return the remaining 90% of funds, they will offer a reward of $1 million for information about the attacker. information. Despite this warning, hackers transferred approximately $1.78 million in stolen funds to Tornado Cash.

The hacker then contacted Euler Finance through on-chain messages.

On March 21st, Euler Finance followed through on the actions in the warning, launching a $1 million bounty for information on the attacker after the attacker stopped responding, and four days later, the attacker chose to return the funds to Euler and apologize:

On April 3, Euler Finance announced on its Twitter account that they had recovered all "recoverable funds" following negotiations with the hackers.

secondary title

Sentiment Protocol

On April 4, 2023, Sentiment Protocol was attacked and lost nearly $1 million.

On April 5, Sentiment Protocol announced the vulnerability on its Twitter account and suspended the main contract (allowing only withdrawals) to mitigate further loss of funds.

Sentiment Protocol offered to negotiate with the attackers, promising a bounty while issuing a warning: If the attackers do not return the funds by April 6, the "white hat" bounty promised to them will become a bounty to hunt them down gold. Like Allbridge, the protocol also promises that they will not take legal action against the attackers if the funds are returned:

The next day, Sentiment Protocol offered the attacker a $95,000 bounty if the attacker returns the funds by 8:00 UTC on April 6.

secondary title

How to negotiate with gray hat hackers?

As seen in the four cases in this article, all protocols issued bounties in exchange for stolen assets.

Both Euler Finance and Sentiment Protocol warn attackers (with bounties for information on attackers). Allbridge and Sentiment Protocol also announced that they would not take legal action against the hackers if the funds were returned, while Poly Network made it clear that it would contact law enforcement.

Of the four agreements, two of the "recoverable" funds were returned in full, and Allbridge is still negotiating with the second hacker. Sentiment Protocol successfully recovered 90% of the funds after two days of negotiations.

From this we can see that bounties are a very effective means of negotiating with attackers. However, it also has certain potential risks. For example, after receiving the bounty, the attacker does not fulfill his promise, but continues to leak data or attack again. In addition, some countries and regions may take legal measures against the payment of bounties.

Organizations therefore need to assess risk and legality and develop effective strategies to ensure ransom payments are made safely and stolen assets are recovered as quickly as possible.