- Blockbasis
- Posts
- Hedgey Finance: Inside the $44.7 Million DeFi Exploit
Hedgey Finance: Inside the $44.7 Million DeFi Exploit
Crisis and Redemption: Hedgey Finance's $44.7 Million Breach Exposes Critical Security Flaws, Prompting Urgent Calls for Comprehensive Overhaul and Trust Rebuilding Efforts in the Decentralized Finance Landscape
Blockbasis
April 18, 2024
TL;DR
Hedgey Finance took a $44.7 million hit in a flash loan attack, laying bare critical security flaws and rattling user confidence. As the DeFi world buzzes, Hedgey must patch up its defenses and mend its reputation.
Make Sure This Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your wallet or a contract is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
Hedgey Finance, a prominent player in the decentralized finance (DeFi) space, suffered a severe blow on April 19, 2024, when it fell victim to a devastating flash loan attack. This breach resulted in a staggering loss of $44.7 million, affecting both the Arbitrum and Ethereum platforms.
The attack was initially flagged by Cyvers and later confirmed by Hedgey Finance. The team at Hedgey promptly informed their community about an exploit targeting the Hedgey Token Claim Contract. They urged users with active claims to cancel them immediately using the "End Token Claim" button to mitigate further losses.
Hedgey Finance, known for its "token vesting and lockup tools," found itself vulnerable when its lockup tools failed to secure assets adequately. The attacker successfully siphoned off approximately $2.1 million worth of assets from the Ethereum contract, including USDC, NOBL, and MASA tokens. On the Arbitrum chain, the damage was even more substantial, with the theft of around $42.6 million worth of BONUS tokens.
In the wake of the exploit, responses varied among affected parties. NobleBlocks (NOBL) provided a detailed security report to its community.
Important Security Update and Current Status
Dear NobleBlocks Community,
We regret to inform you of a recent security breach that impacted @hedgeyfinance, a prominent token infrastructure platform on which our $NOBL tokens are utilized. During this incident, attackers exploited… x.com/i/web/status/1…
— NOBLEBLOCKS (@nobleblocks)
4:25 PM • Apr 19, 2024
Bonus Block (BONUS) briefly reassured users that their vestings were safe. MASA, on the other hand, appeared more focused on hosting Twitter Spaces than addressing the breach.
Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.
As investigations continue, the core issue has been identified: a lack of input validation on user parameters. This oversight allowed the attacker to manipulate token approvals and orchestrate the theft. The attacker executed the exploit in a series of steps, starting with a flash loan of $1.3 million USDC from Balancer to manipulate the claimLockup parameter within the createLockedCampaign function. This maneuver tricked the vulnerable contract into approving USDC token transfers to the attacker's contract.
The attacker then used these approvals to transfer USDC to their own accounts, executing the plan in separate transactions to avoid detection by bots.
Upon scrutinizing the commit records of the vulnerable contract, it became evident that the root cause of the breach lay in unverified user input. Insufficient verification of parameters passed by users allowed tokens to be approved to the attacker's contract, paving the way for the devastating exploit.
Exploiter’s address on Ethereum: https://etherscan.io/address/0xded2b1a426e1b7d415a40bcad44e98f47181dda2
Attack Contract on Ethereum: https://etherscan.io/address/0xc793113f1548b97e37c409f39244ee44241bf2b3
Exploited Contract on Ethereum: https://etherscan.io/address/0xbc452fdc8f851d7c5b72e1fe74dfb63bb793d511
Exploiter’s address on Arbitrum:
https://arbiscan.io/txs?a=0xc7241e27ee4b8d32b59a10e848b48530047a8c5b
Attack Contract on Arbitrum:
https://arbiscan.io/txs?a=0xbb52f1723ddf2c84ba2668f4e04712f572cbf780
Exploited Contract on Arbitrum: https://arbiscan.io/address/0xbc452fdc8f851d7c5b72e1fe74dfb63bb793d511
Funds are currently being held here.
Hedgey Finance took the unconventional step of reaching out to the attacker via an on-chain message, expressing a willingness to engage in dialogue and discuss potential next steps. In a somewhat surprising move, Hedgey appeared to assume the attacker's intentions to be altruistic, even going so far as to commend them with a "well done" for uncovering the exploit.
This gesture, however, raises eyebrows and prompts questions about the nature of the attacker's motives. With a hint of irony, Hedgey thanked the perpetrator for their actions, questioning whether they consider themselves among the ranks of ethical hackers. The juxtaposition of gratitude with the severity of the theft—a staggering $44.7 million—underscores the complexities of the situation.
Despite the attempt to frame the exploit in a positive light, the reality remains stark: regardless of the attacker's intentions, significant financial harm has been inflicted. This leads to a pertinent question: does praising the exploit undermine the gravity of the situation and insult the users whose funds were compromised?
It's worth noting that Hedgey's security protocols underwent scrutiny in mid-2023 through an audit conducted by ConsenSys Diligence. However, this recent breach highlights the persistent challenges faced by DeFi platforms in maintaining robust security measures and underscores the need for continuous vigilance in the ever-evolving landscape of decentralized finance.
Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter
While Hedgey Finance lauds the skills of the attacker and optimistically entertains the notion of them being a white hat actor, the harsh reality of nearly $45 million in losses exposes glaring vulnerabilities in their security infrastructure.
Rebuilding trust will be a monumental task for Hedgey, necessitating a comprehensive overhaul of their security protocols. Strengthening input validation, bolstering access controls, and subjecting their systems to rigorous audits are imperative steps to prevent a recurrence of such devastating breaches.
The road to recovery will be arduous, marked by the daunting challenge of restoring faith among users whose trust has been shattered. By meticulously examining their security practices and deriving lessons from these costly errors, Hedgey can embark on the painstaking journey of rebuilding its reputation within the decentralized finance community.
The decentralized finance sector, while a hotbed of innovation, also serves as a sobering reminder of the high stakes involved and the dire consequences of negligence. For Hedgey, this exploit stands as a cautionary tale, underscoring the paramount importance of prioritizing security above all else.
As the dust settles, the pivotal question looms: can Hedgey successfully redeem itself and regain the trust of its users, or will this incident forever tarnish its position in the realm of DeFi? Only time will tell as Hedgey navigates the intricate path towards redemption in the eyes of the decentralized finance community.Unveiling Vulnerabilities: Hedgey Finance's $44.7 Million Breach Sparks Urgent Security Reevaluation in DeFi