Lendhub, a relatively small cross-chain crypto lending platform operating on HECO, mined $6 million earlier in January.
Possible attack only due to bad coding
The attack was carried out due to a poorly executed deletion of an outdated IBSV cToken. Its replacement, already active, had an identical price at the time, which allowed the unknown bad actor to manipulate prices and drain around $6 million worth of crypto from the platform.
According to a blockchain security researcher Halborn, a correct analysis of the attack will be difficult to perform because the smart contracts responsible for the price of the two tokens have not been verified. Moreover, the smart contracts themselves were not attacked, only the tokens themselves, which should not have been listed simultaneously.
“Although the relevant smart contracts are not verified, making in-depth analysis difficult, the attacker did not need to exploit smart contract vulnerabilities to carry out this attack. The attack did not was only possible because two competing versions of the same token were available on the market.
Partial withdrawal on site
Just over 1,100 ETH, worth around $1.79 million at the time, were sent to TornadoCash just hours after the exploit.
However, the rest of the stolen funds appear to be moving again, according to Peckshield and Beosin.
2415 ETH, worth over $3.8 million at the time of writing, was sent from a wallet associated with the TornadoCash attack.
#PeckShieldAlert ~2,415.4 $ETH (~3.85M) in Tornado Cash of @LendHubDefi exploiters
LendHub was exploited and $6 million worth of crypto was stolen from its protocol on January 12. pic.twitter.com/8FZY3v2Fe3— PeckShieldAlert (@PeckShieldAlert) February 27, 2023
This brings the total amount transferred to TornadoCash to 3515.4 ETH, with a current value of over $5.7 million. The remaining hundreds of thousands are still hidden in the attacker’s wallet and will likely be sent to a crypto mixer shortly.
Fortunately, there is a silver lining to this story – it was the biggest offensive on a crypto company during the month of January and is a far cry from the Harmony or Ronin attacks of last year. In total, January saw around $8.8 million worth of crypto lost to hacks, a reduction of over 90% in stolen value compared to January 2022.
Whether it’s because developers are starting to take security more seriously or for other factors, it’s important to keep in mind that cybersecurity is a constant battle – and if developers want to keep a positive track record, they must remain vigilant.
Binance Free $100 (Exclusive): Use this link to sign up and receive $100 free and 10% off Binance Futures fees for the first month (terms).
PrimeXBT Special Offer: Use this link to sign up and enter code POTATO50 to receive up to $7,000 on your deposits.