This week, a former Amazon engineer pleaded guilty to hacking two cryptocurrency exchanges, the first ever conviction involving the hacking of a smart contract. Shakeeb Ahmed, who previously worked as a security engineer for Amazon, will face up to five years in prison and must pay back $12.3 million in stolen funds.
The hacks targeted Nirvana Finance and an unnamed crypto exchange on the Solana blockchain. Blockchain is a digital ledger that stores data, such as financial transactions, in a secure environment. Ahmed was able to reverse engineer the steps needed to make the exchanges pay out massive sums by using specialized skills he developed while working for Amazon.
Ahmed then attempted to cover his tracks by negotiating with the unnamed crypto exchange. He offered to return all of the stolen funds, less $1.5 million, if the exchange agreed not to contact law enforcement about the hack.
Smart contracts are blockchain programs that execute specified functions when predetermined conditions are met. For instance, a landlord can use a smart contract to require a renter to transfer a security deposit to receive the apartment door code. Unfortunately, these contracts can be vulnerable to attacks by hackers.
Ahmed exploited a vulnerability in the exchange’s smart contracts, allowing him to submit falsified data that resulted in the contracts generating millions of dollars worth of inflated fees he hadn’t earned. In one case, he was able to buy $10 million worth of ANA tokens at an artificially lowered price and sell them for $3.6 million in profit.
In 2022, $2.2 billion in cryptocurrency was stolen from Decentralized Finance (DeFi) projects. Many of the thefts were carried out by taking advantage of vulnerabilities in smart contracts. Since smart contracts are built upon open-source code, hackers can become aware of the inner workings of the software and take advantage of any weaknesses.
Ahmed’s conviction is a reminder that smart contracts can be vulnerable to attack. Blockchain technology offers a secure way to store data, but without proper precautions, hackers can take advantage of the system.