A programmer from New York has been charged by the US prosecutor's office for allegedly stealing millions of dollars in cryptocurrencies by exploiting vulnerabilities in a decentralized finance platform (DeFi). Another case where the slogan "Code is Law" does not always hold true.
The US prosecutor's office describes the case as the first criminal case related to an attack on a smart contract of a decentralized exchange. The authorities accuse the 34-year-old programmer, Shakeeb Ahmed, of exploiting a vulnerability in an undisclosed DeFi protocol. According to the prosecutor's office, the defendant managed to generate approximately $9 million in unjustifiably inflated fees through price manipulation. Later, Ahmed laundered the stolen funds through various platforms. The case bears some similarities to last year's Mango Markets exploit and seriously questions the DeFi principle of "Code is Law."
Subscribe to our newsletter
The best articles of the week, directly delivered into your mailbox.
"White Hat" DeFi hacker faces court despite returning the funds
Although the US prosecutor's office does not name the exploited DeFi platform, the amount stolen and the date of the exploit match the manipulation of the Crema Finance project. The decentralized exchange based on the Solana blockchain suffered an $8.8 million hack in July 2022 using a technique called a flash loan. Interestingly, the attacker only kept $1.5 million for themselves, returning the rest to the exchange. This is a common practice in the DeFi world. Attackers with "good intentions" are also known as "White Hat Hackers" (in contrast to malicious black hat hackers). DeFi hackers themselves apply this term quite liberally.
In this case, Ahmed reached an agreement with Crema Finance to return all funds except for a "reward" of $1.5 million. However, the platform was not allowed to report the attack to law enforcement agencies. According to the prosecutor's office, Ahmed then sent the funds through various blockchains and protocols to obscure their origin. In the transparent blockchain world, this was not enough to evade law enforcement authorities. After the attack, Ahmed allegedly conducted online research related to the hack, including inquiries about possible legal consequences, searching for lawyers specializing in the field, and considering the possibility of fleeing the United States.
Code is not law
The attacker is facing charges of fraud and money laundering, each carrying a maximum prison sentence of 20 years. If convicted, a US court would confirm for the first time that code is not law in the blockchain world. The English slogan "Code is Law" describes the idea that in decentralized systems, the applicable rules and regulations are automated and enforced through the underlying code. This would make conventional legal oversight unnecessary.
However, the court case proves that law enforcement authorities hold a different opinion. Manhattan's US Attorney Damian Williams stated that the Southern District of New York has always pursued "old-fashioned fraud" through novel technologies. After all, the DeFi market is not a lawless space, and only the law is law.
U.S. Attorney Damian Williams announces the first-ever criminal case involving an attack on a smart contract operated by a decentralized cryptocurrency exchange pic.twitter.com/j3JPv2L612
— US Attorney SDNY (@SDNYnews) July 11, 2023