Open in app

Sign in

Write

Sign in

Poly Network Bridge Exploit and The Asset Support Initiative

bordois
Flamingo Finance
6 min readAug 20, 2024

--

Poly Network Bridge Exploit and the Asset Support Initiative

Flamingo community,

On August 12, 2024, a smart contract exploit occurred on the Poly Network CMCC contract. Because of this incident, the cross-chain bridge on Neo N3 was stopped. We announced this on our discord and on X later that day.

The incident has been and is still being investigated to determine the full extent of the exploit. The Flamingo team is helping Neo Global Development (NGD) and Poly Network who are continuously working diligently to find and freeze any wallets related to the exploit.

What happened

The hacker exploited the Poly Network CMCC contract for around $4–5 million USD in total. It is with a heavy heart to say that the hacker still has not returned the funds. A bounty has been offered via a message on the Ethereum network. The hacker has not responded to the message.

There is still a potential that the hacker does return the stolen funds for the bounty, especially since the stolen assets can now be tracked and anyone found to be associated with them will suffer legal consequences. The hope is that the hacker understands the seriousness of this matter and returns the funds, but there is no guarantee that they will.

The hacker made away with ~20–25% of all cross-chain asset funds (f-assets and p-assets: fUSDT, fWBTC, fWETH, fBNB, fCAKE, pWING, pONT). This is because the Poly Network bridge uses hot and cold wallets for cross-chain bridging, and the hacker was able to take what was available in the hot wallet (~20–25% of funds). Luckily, the hacker could not take everything.

That said, with ~20–25% stolen, cross-chain f- and p-assets are now currently worth ~75–80% of their unwrapped versions. For example, if 1 USDT = $1.00 USD, then 1 fUSDT = ~$0.75 — $0.80 USD.

If and/or when the hacker does return the funds, all investors affected by this will be made whole again, or as close to it as possible, with their share of the returned funds. The share of the received tokens will go back to the users who have migrated their f- and p-assets.

What this means for you

If you don’t currently hold any f- or p-assets, you do not have to do anything.

First and foremost, we want to express our sincere sympathy for any inconvenience or financial impact this situation may have caused our community. Although Flamingo had nothing to do with the cause of the Poly Network smart contract exploit, we understand users of Flamingo are affected by this, and holders of f- and p-assets are directly affected with a ~20–25% loss.

Because of this, we have decided to try to help “soften the blow” by setting up an action plan we call the Asset Support Initiative.

The Asset Support Initiative

Before we delve into the details of the initiative it is important to note that this is a tentative plan, with a lot of moving parts, that is being worked hard on and is subject to change over the coming weeks.

The broad stroke of the initiative is to support f- and p-asset holders by giving away 40,000,000 FLOCKS (worth 40,000,000 FLM with a current value of around $2,500,000 USD, + dividends) over a 2-year timespan. You can read more about FLOCKS here.

Once the Poly Network bridge comes back up, an Asset Actions page will be added to Flamingo so that users can migrate f- and p-assets to receive 75–80% of the migrated amount in a new asset. The new assets received are fully backed in the source chain (re-pegging).

Users can exchange their cross-chain f- and p-assets for their new version counterparts and receive compensation for 50% of their losses in FLOCKS tokens over two years. FLOCKS tokens will be distributed monthly, starting 30 days after the migration, for a total of 24 payments. The amount of FLOCKS received will be based on the asset’s value on a specific date, to be announced later. Users have 12 months to migrate their assets, but delaying the migration might reduce the number of FLOCKS payments, as the two-year payment period begins 30 days after the migration.

For example, if Jack exchanges 1,000 fUSDT and receives 750 fUSDT in return, he has a 250 USDT loss. Jack will be compensated with $125 worth of FLOCKS tokens, spread over 24 equal monthly payments for two years. The amount of FLOCKS Jack receives each month will be fixed based on the FLOCKS price at the time of his asset migration, regardless of future price changes.

Over time, the FLOCKS tokens may generate dividends, reducing Jack’s effective loss. He can also sell the FLOCKS tokens anytime.

If the stolen funds are recovered, Flamingo will stop the FLOCKS payments and instead distribute the recovered assets to affected users.

If the hacker returns funds and FLOCKS have been given away and they have (for example) a value of 50% of the hack, users will get 50% from hacker funds (so they are whole) and then the rest will be used to buy back and burn FLOCKS.

Closing Remarks

We understand how an incident like this can have a detrimental effect on anyone and everyone involved, and we sympathize with everyone affected by this.

We want to remind users that the hacker exploited a Poly Network smart contract, and did not hack Flamingo. Giving back 50% of the loss to those affected is Flamingo’s way of trying to soften the blow and help cross-chain asset holders as much as we can, turning losses from up to 25% to 12.5% or less (depending on prices and dividends) over time.

Our support team is available 24/7 on discord to address any questions or concerns you may have during this challenging time.

To the loyal community members who have used Flamingo from the beginning, we are especially grateful for your trust and belief in our vision. We are determined to help affected users as much as we possibly can and rebuild the confidence you have placed in Flamingo.

Thank you for your continued support and understanding during this difficult period. We are committed to emerging from this situation stronger and more resilient, with improved systems and safeguards in place to better serve the Flamingo community.

Sincerely,
The Flamingo Finance Team

Questions and Answers

What happens to the f- and p-assets?

They will remain on Flamingo and will be able to be traded for whatever price is in the pools. At some point in the future, trading and asset actions with these assets will be hidden away so the UX does not become confusing.

Will I be able to unwrap my f- and p-assets in the future?

No, the f- and p-assets must be migrated to the new cross-chain assets before they can be unwrapped. That is to ensure that the peg/backing of the assets is kept at 100%.

When will I be able to buy and unwrap f- and p-assets for a ratio of 1:1?

After the migration has started and with new pools, the ratio from wrapped to unwrapped assets will return to 1:1. Any f- and p-assets bought before the migration starts will be indefinitely unpegged.

More community questions and answers will be added here as they arise.

Flamingo Finance is an easy-to-use DeFi platform built on the Neo N3 blockchain. Flamingo is designed with Smart Functions for everyone, from beginners to advanced cryptocurrency users. https://flamingo.finance/

To stay in touch with us and keep up to date on all things Flamingo, please join us on Discord or Telegram, and connect with us on Twitter.

--

--

bordois
Flamingo Finance

Written by bordois

542 Followers
Writer for

Head of Content and Marketing at Flamingo.Finance and God of Meme2Earn.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams