Cryptocurrency

Hedera confirms exploit on mainnet led to theft of service tokens

Hedera, the team behind distributed ledger Hedera Hashgraph, has confirmed a smart contract exploit on the Hedera Mainnet that has led to the theft of several liquidity pool tokens.

Hedera said the attacker targeted liquidity pool tokens on decentralized exchanges (DEXs) that derived its code from Uniswap v2 on Ethereum, which was ported over for use on the Hedera Token Service.

The Hedera team explained that the suspicious activity was detected when the attacker attempted to move the stolen tokens across the Hashport bridge, which consisted of liquidity pool tokens on SaucerSwap, Pangolin and HeliSwap. Operators acted promptly to temporarily pause the bridge.

Hedera didn’t confirm the amount of tokens that were stolen.

On Feb. 3, Hedera upgraded the network to convert Ethereum Virtual Machine (EVM)-compatible smart contract code onto the Hedera Token Service (HTS).

Part of this process involves the decompiling of Ethereum contract bytecode to the HTS, which is where Hedera-based DEX SaucerSwap believes the attack vector came from. However, Hedera didn’t confirm this in its most recent post.

Earlier, Hedera managed to shut down network access by turning off IP proxies on March 9. The team said it has identified the “root cause” of the exploit and is “working on a solution.”

“Once the solution is ready, Hedera Council members will sign transactions to approve the deployment of updated code on mainnet to remove this vulnerability, at which point the mainnet proxies will be turned back on, allowing normal activity to resume,” the team added.

Since Hedera turned off proxies shortly after it found the potential exploit, the team suggested tokenholders check the balances on their account ID and Ethereum Virtual Machine (EVM) address on hashscan.io for their own “comfort.”

Related: Hedera Governing Council to buy hashgraph IP and open-source project’s code

The price of the network’s token Hedera (HBAR) has fallen 7% since the incident roughly 16 hours ago, in line with the broader market fall over the last 24 hours.

However, the total value locked (TVL) on SaucerSwap fell nearly 30% from $20.7 million to $14.58 million over the same timeframe:

The fall suggests a significant amount of tokenholders acted quickly and withdraw their funds following the initial discussion of a potential exploit.

The incident has potentially spoiled a major milestone for the network, with the Hedera Mainnet surpassing 5 billion transactions on March 9.

This appears to be the first reported network exploit on Hedera since it was launched in July 2017.

Articles You May Like

AI-driven stock market boost sets California up for a balanced budget
Milan beats London and New York as home to most expensive shopping street
The lawyer at the heart of the ferocious debate over assisted dying
Government could force pension funds to invest more in UK assets
She Took a Pill to End Her Pregnancy, Then Realized It Was a ‘Major Mistake.’ Here’s How She Saved Her Baby’s Life