- Blockbasis
- Posts
- Holograph Protocol Hack: Mitigating the $14.4 Million Exploit
Holograph Protocol Hack: Mitigating the $14.4 Million Exploit
Holograph Protocol Hack: In-Depth Analysis of the $14.4 Million Exploit, Response Strategies, Third-Party Audit Plans, and Community Resilience in Blockchain Security
TL;DR
Holograph Protocol suffered a $14.4 million hack orchestrated by a former developer who exploited an infinite mint vulnerability. The attacker minted 1 billion HLG tokens, sold them on exchanges, and caused an 80% drop in token value. The incident underscores the importance of robust access controls and thorough vetting in smart contract development.
Make Sure This Hack Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
In June 2024, the Holograph NFT protocol, which operates on Omnichain, experienced a significant security breach resulting in a $14.4 million loss.
The attacker, believed to be a former developer involved with the project, exploited an infinite mint vulnerability within the protocol's smart contracts. This allowed them to mint 1 billion HLG tokens, which they subsequently sold for profit.
The breach was executed by a former contractor of the Holograph protocol. Initial theories suggested this based on the fact that the attacker’s address had been granted approval to use the project’s mint function, a suspicion that was later confirmed by the Holograph team.
The Holograph Operator contract has been exploited by a malicious actor, enabling the hacker to mint 1 billion additional HLG
The team has patched the initial exploit & is working with exchange partners to lock the malicious accounts
The team has launched an investigation & is… x.com/i/web/status/1…
— Holograph (@holographxyz)
7:15 PM • Jun 13, 2024
Approximately 26 days before carrying out the attack, the attacker deployed a malicious smart contract on the Mantle network. This contract was designed to call the protocol’s mint function.
Due to the attacker’s address being trusted by the contract, they were able to bypass the usual access controls associated with the mint function. The rogue developer then executed nine separate minting transactions, resulting in the creation of a total of 1 billion HLG tokens.
After minting 1 billion new HLG tokens, the attacker bridged these tokens to the Ethereum network and immediately began selling them.
Although exchanges managed to freeze approximately 200 million of the newly minted tokens, the attacker successfully dumped a substantial portion.
Consequently, the inflated supply caused the value of the HLG tokens to drop by about 80% within the initial nine hours following the attack.
Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.
Lessons Learned From The Attack
The Holograph hack highlights the critical need for stringent access control measures and thorough vetting of development team members. In this incident, a rogue developer exploited the fact that an address under their control had been granted approval to call the project's mint function.
By using this privileged access, they were able to significantly increase the supply of HLG tokens, benefiting themselves while severely harming the project's users and the token's value.
When implementing privileged functionalities such as mint and burn functions in smart contracts, decentralizing control is a best practice that provides robust protection against malicious insiders, like the Holograph hacker.
By utilizing a multi-sig wallet for trusted, privileged accounts, multiple private key holders are required to collaborate and collude to misuse their privileged access, significantly reducing the risk of unauthorized actions.
In the process of designing and deploying smart contracts, it is crucial to conduct a thorough audit of the project’s smart contract code. However, relying solely on code audits is insufficient.
Organizations must also establish comprehensive security programs and controls to address risks beyond the code itself. For assistance in achieving holistic on-chain security and safeguarding against similar vulnerabilities.
Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter
In response to the Holograph Protocol hack, the team has taken decisive actions to mitigate the impact and prevent future vulnerabilities. Here’s how they’re addressing the situation:
What’s happening?
Collaboration with Security Experts: Holograph is actively working with security experts to enhance the protocol's defenses and prevent similar exploits in the future.
Freezing of Attacker's Accounts: The exchange accounts associated with the malicious actor have been frozen on major platforms including Bybit, Gate, KuCoin, Bitget, and Backpack. As of now, at least 200 million out of the 1 billion additional HLG tokens have been successfully frozen.
Suspension of HLG Transactions: As a precautionary measure, Bybit, Gate, KuCoin, Bitget, and Backpack have temporarily suspended all HLG deposits and withdrawals to prevent further unauthorized activities.
Holograph exploit update
Overview
✓ A former contractor exploited Holograph Protocol to mint additional HLG
✓ Holograph Protocol has been temporarily locked down
✓ The team is working on strategies to mitigate the impact of the exploitWhat happened?
✓ The malicious actor… x.com/i/web/status/1…
— Holograph (@holographxyz)
7:45 PM • Jun 14, 2024
What’s next?
Third-Party Audit: Holograph will undergo a thorough third-party audit of its entire protocol. This audit aims to identify any remaining vulnerabilities and ensure that robust security measures are in place.
Continued Development: Despite the setback, the team remains committed to advancing omnichain tokenization infrastructure and applications. They will continue to deliver on their development roadmap to enhance the protocol's capabilities and security.
Transparent Communication: The team pledges to provide regular updates as they gather more information and implement further security enhancements. They appreciate the ongoing support from the community during these challenging times and are dedicated to resolving the situation responsibly.
The Holograph Protocol hack has highlighted the critical importance of rigorous security practices in blockchain technology. By collaborating with security experts, conducting thorough audits, and maintaining transparent communication, Holograph aims to emerge stronger and more resilient from this incident. The team’s proactive measures underscore their commitment to safeguarding user assets and maintaining trust within the crypto community.
As developments unfold, stakeholders can expect continued updates and proactive measures from Holograph to ensure the integrity and security of their platform.
Instantly calculate the time you can save by automating compliance
Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.
Instantly calculate how much time you can save with Vanta.