
Analysis of the Curio Exploit
Learn how Curio was exploited, which resulted in a loss of approximately $16 million.
Youtube Video
Playing the video that you've selected below in an iframe
After much deliberation and careful thought Neptune Mutual decided to close the cover marketplaces.
After much deliberation and careful thought Neptune Mutual decided to close the cover marketplaces. Below the reasons for the decision as well as what it means for the community.
The marketplaces will be closed using an emergency withdrawal process whereby the liquidity provided to cover pools by LPs will be returned to the wallet addresses from which the liquidity was supplied. In addition to protecting cover pool LPs, there will also be refunds to all cover policy purchasers with an existing and valid policy who have paid over 10 USD in policy fees in one transaction.
For veNPM holders, please fill out this form to receive a refund for your veNPM to NPM conversion penalty.
From the end of June there will no longer be NPM emission incentives for LPs i.e. Epoch 3 of the liquidity gauge emissions will be canceled.
Unused funds raised from financial backers will be returned to those backers; this includes DEX liquidity that has now been removed from SushiSwap and Uniswap. A small amount of liquidity on SushiSwap Arbitrum has been left to enable a minimum amount of NPM trading.
The protocol will be open sourced, and become a true public good. Enabling the community to fork the code developed by the Neptune Mutual team such that others might use the existing resources to further our mission to make the blockchain space better protected against smart contracts and other risks.
There are numerous factors that have led to this difficult decision, some of which are external factors which are uncontrollable or unforeseeable. A few factors summarized below:
“Given Neptune Mutual’s Tier 1 backers, why have you not listed on a top CEX?”
This is perhaps one of the most frequently asked questions. In short, the answer is that for a variety of reasons Neptune Mutual was not able to achieve the diverse set of performance metrics (community size and engagement, marketplace user activity, DEX 24 hour trading volume, TVL growth etc.) required to list on top tier CEX. The CEXs that are prepared to list NPM token do not have the depth of liquidity or breadth of user-base to offer good prospects for NPM tokenholders.
The above point invariably leads to the question
“Why has Neptune Mutual not achieved strong growth?”
It is tempting to take a shortcut to answer this question by pointing a finger at one specific factor, but the reality is that there are many contributing factors. A few summarized below:
Since the outset of engaging with the community we have endeavored to highlight the need for DeFiInsurance; Neptune Mutual built a comprehensive dataset of on-chain hacks available, anywhere, and each week we highlight the many millions of dollars that are stolen as a result of smart contract hacks. Despite this, we have consistently been confronted by projects unwilling to spin up cover pools in our marketplace because of the sentiment that audits of their code are sufficient to persuade their community that their protocol is safe. Less than 0.3% of all digital assets are protected with some form of DeFiInsurance, and yet despite all the media reports of hacks, the conference discussions about the importance of governance or CEX proof-of-reserves, it continues to be the case that it is extremely difficult to get media attention to focus on the need for a fast and efficient means of mitigating smart contract risk.
A variety of approaches have been taken by different DeFiInsurance protocols to address this, from attending multiple conferences throughout the year and significant marketing spend, to the leaner approach that Neptune Mutual took (in part as a result of the bear market in 2023). What can be said is that no DeFiInsurance protocol has managed to achieve significant growth over the last 18 months, sadly the overall TVL of the sector has shrunk a lot.
For all the reasons above, at this moment the best course of action is no longer to double-down on investing in growth, but rather to refund unused capital and close the marketplaces.
The consequences are very tough for the Neptune Mutual team who have spent the past 3 years of their time on the mission to facilitate safer environments within DeFi. The team has delivered products according to the roadmap and the fact that the protocol was never hacked, despite attempts being made on the darkweb, is testament to the expertise, passion and absolute focus on security. The team survived the FTX and UST crisis unscathed, and believed that the continued growth in hacks would lead to growth in the demand for a good solution to mitigate these risks, but sadly, as can be seen right across the DeFiInsurance category, this is not yet in sight. So we would like to thank the team for all the dedication, skill and passion invested into the Neptune Mutual project since the outset.
The team will open source the protocol, including blockchain indexing protocol (subgraph alternative), frontend, middleware, database, and backend code, to make it a true public good. This will allow anyone to fork the code and create covers by defining parameters and premium ranges, potentially leading to innovative covers and organic usage.
The Discord channel will be closed to reduce the risk of phishing and other types of cyber attack, any questions / queries will be responded to in the Telegram channel.
We want to take this final opportunity to thank you all for your support.
Neptune Mutual will contact only its financial backers, with whom a signed agreement exists, in relation to next steps (i.e. holding NPM tokens does not qualify you for any form of refund). Contact will be made only from a neptunemutual.com domain email address so please check the source of any email you may receive very carefully. Please ignore any messages from any other email or social media accounts in relation to token/cash refunds.
Learn how Fixed Float was exploited, resulting in a loss of assets worth $26.53 million.
On February 16, 2024, Fixed Float was exploited on the Ethereum Mainnet and Bitcoin networks, resulting in a loss of 1,728 ETH, worth $5.054 million, and 409 BTC, worth $21.476 million, totaling approximately $26.53 million.
Fixed Float is a digital asset exchange platform that offers fast, secure, and non-custodial cryptocurrency swapping services.
The root cause of the exploit is rather unknown at the time of this writing.
The exploiter on the Ethereum Mainnet drained approximately 1076.78 ETH and 650 ETH across multiple transactions.
This address of the exploiter was also involved in yet another asset transfer from a Binance Hot Wallet on the Polygon chain.
On Ethereum, the drainer has already transferred most of the stolen ETH to multiple EOAs and then to eXch, which is a centralized mixer, in order to obfuscate the trail of the stolen assets.
This address of the exploiter on Bitcoin made five different transactions of 409.3 BTC, amounting to approximately $21.476 million.
5b77e01a8253b245d0ce3fd9fcfb3dffb88d49396c1a5553848cf1e05be08c68: 3.1 BTC worth $162,697
31538ae0e280c65f2b02916b32d83f4d6f281f2d867e641c274469b416e015c3: 3.1BTC worth $162,776
0fdf2946694046d1109120c67bc8d0c96977aca2f1777dea7841d89a64e42260: 3.1 BTC worth $162,771
15f7ac31837c8dba597f46359857205df1c41573c4bb489b5a81fd058be5da6d: 200 BTC worth $10,494,338
9822616097948dab2048395c4d887dbb1f99273e5cc40de2d86639013588df41: 200 BTC worth $10,494,338
These stolen funds from the Bitcoin network were also sent to three different addresses:
bc1q04yvaefxyan4fuygsv4nr08pxet8ae426dxxf3: 170.85 BTC worth $8,959,341
bc1qp6gjx8par8e83lfqnem5q049x2qfpydfg27tjf: 38.45 BTC worth $2,016,253
bc1qmrqgrusknj7zzhh5r975a7d6espsukgts805ns: 199.99 BTC worth $10,487,662
Two days after the exploit and following the community disclosure, the team acknowledged the occurrence of the exploit. According to them, they are not yet ready to make public comments on the incident and will be working to investigate and eliminate all possible vulnerabilities. Their services are not available at the time of this writing.
In the wake of the Fixed Float exploit that led to the loss of a significant sum of digital assets, a multi-faceted approach is essential for addressing the breach and fortifying against future incidents. A thorough investigation into the incident is the first critical step, with Fixed Float needing to delve deep into their systems to unearth the exploit's origins and other potential vulnerabilities. This task could greatly benefit from the expertise of external cybersecurity specialists, providing fresh perspectives and more sophisticated security solutions.
Enhanced security protocols are paramount. Continuous monitoring for unusual activity and having immediate response mechanisms in place are also key components of a robust security strategy. Transparent communication with users throughout the recovery and investigation process is vital. Fixed Float must keep its users informed with regular updates on the steps being taken to rectify the situation and preventive measures for future security.
Despite following rigorous security measures, the possibility of vulnerabilities being exploited persists. In these scenarios, the role of Neptune Mutual is pivotal. By establishing a dedicated cover pool with Neptune Mutual, the adverse effects of such similar incidents can be significantly mitigated. We specialize in providing coverage against losses due to smart contract vulnerabilities, leveraging parametric policies tailored for these specific risks.
Engaging with Neptune Mutual simplifies the recovery journey for users by removing the need for detailed loss documentation. Once an incident is confirmed and resolved using our detailed incident resolution framework, our focus shifts to quickly compensating and financially supporting affected individuals. This approach ensures rapid assistance for users hit by such security breaches.
Our marketplace extends across multiple leading blockchain platforms, such as Ethereum, Arbitrum, and the BNB chain, catering to a wide range of DeFi participants. This comprehensive network allows us to offer protective measures against various vulnerabilities, enhancing security for our diverse user base.
Reference Source Beosin