- Crypto lender Shezmu has recovered close to $5 million of stolen funds
- The lender initially offered a 10% bounty but the hacker demanded a 20%
- Shezmu also informed the hacker that it may involve law enforcement agencies if they don’t return the funds
Crypto lender Shezmu has successfully recovered nearly $5 million after convincing them to keep part of the loot as a bounty. The DeFi platform had threatened the hacker that it would involve law enforcement agencies if they chose to keep the entire loot. Shezmu’s hack was first reported by Fuzzland’s co-founder Chaofan Shou who noted that it was unclear whether it was a hack or a rug pull, making the recovery a confirmation that it wasn’t the team abandoning the project.
Hacker Demands 20% as Bounty
According to Shou, the hacker found a way to exploit a shortcoming in the lender’s vault that allowed anyone to “borrow an arbitrary amount of” the project’s token ShezUSD. Shou also noted that the vulnerable contracts were deployed less than three weeks ago.
This is not auditors’ fault though. The vulnerable contracts were deployed 17 days ago. https://t.co/7ZdzRnfz7v
— Chaofan Shou (@shoucccc) September 20, 2024
Shezmu referred to the attacker as a white hat hacker adding that the 10% bounty offer was active within 24 hours of sending the message. The hacker responded demanding a 20% of the funds as a bounty, something that the lender accepted and provided an address for the hacker to deposit the remaining 80%.
A few hours after the agreement, Shezmu confirmed receiving the funds. The lending project, however, warned users against interacting with some of the compromised components until further update.
Update: We’ve successfully recovered the remaining funds (minus white hat bounties) and are working on a full post-mortem and recovery plan. Over the next few days, we’ll release details on our plan to ensure Curve, Balancer, and Beefy LPs are made whole.…
— Shezmu (@ShezmuTech) September 21, 2024
Shezmu to Reimburse Liquidity Pools
In its latest update, Shezmu outlined a plan to restore confidence in the platform by reimbursing impacted liquidity pools. The plan involves airdropping recovered funds to the pools and issuing debt tokens “to cover the remaining 20% of losses.”
Over the coming days, here’s what you can expect as part of our comprehensive recovery and reimbursement plan:
1. Snapshot of Impacted LPs:
A snapshot of all Beefy, Curve, Balancer, and Aura LPs holding ShezUSD and ShezETH paired assets will be taken to assess the impact and…— Shezmu (@ShezmuTech) September 22, 2024
The recovery comes a few days after the WazirX hacker started moving funds to crypto mixer Tornado Cash indicating no intentions of returning the funds even for a bounty. It also comes as the Mango Markets exploiter still holds that he wants to keep the entire loot despite being taken to court.
Although Shezmu recovered the funds, it’s to be seen whether its users will still have confidence in the platform.
