Lendhub, a relatively small cross-chain crypto lending platform operating on HECO, was exploited to the tune of $6 million dollars earlier this January.
Attack Possible Solely Due to Poor Coding
The attack was carried out due to a poorly-executed removal of a deprecated IBSV cToken. Its replacement, which was already active, had an identical price point at the time, which allowed the unknown bad actor to manipulate the pricing and drain around $6 million worth of crypto from the platform.
According to blockchain security researcher Halborn, a proper analysis of the attack will be difficult to carry out as the smart contracts responsible for the price of the two tokens were both unverified. Furthermore, the smart contracts themselves were not attacked, only the tokens themselves, which should not have been listed simultaneously.
“While the relevant smart contracts are unverified — making an in-depth analysis difficult —the attacker did not need to exploit smart contract vulnerabilities to carry out this attack. The attack was only possible because two competing versions of the same token were available on the market.”
Partial Withdrawal on the Spot
Just over 1100 ETH, worth about $1.79 million at the time, were sent to TornadoCash mere hours after the exploit.
However, the rest of the stolen funds appear to be moving again, according to both Peckshield and Beosin.
2415 ETH, worth over $3.8 million at the time this article was written, has been sent from a wallet associated with the attack to TornadoCash.
#PeckShieldAlert ~2,415.4 $ETH (~3.85M) into Tornado Cash from @LendHubDefi exploiters
LendHub was exploited, and $6M worth of cryptos was stolen from its protocol on Jan. 12.https://t.co/vDxHlTgR0o pic.twitter.com/8FZY3v2Fe3
— PeckShieldAlert (@PeckShieldAlert) February 27, 2023
This brings the total amount moved to TornadoCash up to 3515.4 ETH, currently worth over $5.7 million. The remaining hundreds of thousands are still stashed away in the attacker’s wallet and will probably be sent to a crypto mixer shortly.
Thankfully, there is a silver lining to this story – this was the biggest attack on a crypto company during the month of January and is a far cry from the Harmony or Ronin attacks of last year. In total, January saw about $8.8 million worth of crypto lost to hacks, a reduction of over 90% in stolen value when compared to January 2022.
Whether this is because of devs starting to take security more seriously or other factors, it’s important to remain aware that cybersecurity is a constant battle – and if devs want to keep a positive track record, they had best stay alert.