A recent exploit in an Arbitrum-based decentralized finance (DeFi) project caused users of the platform to lose $2 million, CoinTelegraph reports.
On Tuesday, Feb. 21, CertiK, a Web3 security bulletin, flagged the incident when a Nigerian citizen exploited a smart contract and transferred $1.86 million to Tornado Cash.
#CommunityAlert ๐จ@hope_fin have announced the community has been scammed for ~$2m making this the largest #exitscam on Arbitrum in 2023.
$1.86m was transferred to @TornadoCash.
Hope_fin have posted steps for user's to withdraw their staked LPhttps://t.co/hJbFXiKujt— CertiK Alert (@CertiKAlert) February 21, 2023
Since its inception in 2019, Tornado Cash has been used to launder more than $7 billion worth of virtual money, according to the US Treasury, which blacklisted it in August 2022.
Nonetheless, due to its decentralized design, operations have continued. It cannot be separated from the financial system in the same way that traditional organizations cannot.
Scammer Drained Hope Finance with Exploit
The hacked Hope Finance platform, which joined Twitter in January 2023, reportedly intended to launch a stablecoin dubbed the Hope token (HOPE).
The token's supply would have been constantly adjusted based on the price of Ether. Prior to the exploit, the platform's Twitter account had detailed these intentions for HOPE. (Ethereum Market Cap: $204.59 billion)
Read Also: Facebook Verified Account: Elon Musk Reacts to Meta's New Verification System
CoinTelegraph explains that the con artist altered the smart contract, causing Hope Finance's genesis protocol to be drained of funds. The scammer modified the TradingHelper contract such that when 0x4481 calls OpenTrade on the GenesisRewardPool, the funds are routed to the scammer.
The Twitter account for Hope Finance tweeted two images of the alleged con artist 17 hours ago. One of the photos displayed the identification card of a Nigerian national student.
Smart Code Passed Audit Before Exploit
As reported by Crypto.news, a Cognitos representative audited the Hope Finance smart contract on Feb. 13. Two critical contract function vulnerabilities were identified in the audit summary, including an erroneous modifier and the possibility of reentrancy attacks. Notwithstanding these vulnerabilities, the smart contract code passed the audit.
Following the major exploit, Hope Finance provided users with instructions on how to use the protocol's emergency withdrawal capability to withdraw staked liquidity.
Steps to withdraw your staked LP from the this fucking scam protocol
— Hope Finance (๐,๐งก) (@Hope_fin) February 21, 2023
1. Go on this linkhttps://t.co/HjuvQyxbUX
2. connect your wallet
3. click on emergency withdraw
Enter 0000000000000000000000000000000000000000000000000000000000000002 pic.twitter.com/5RxtgKXgoo
Arbitrum, an Ethereum layer 2 roll-up network, allows smart contracts to scale exponentially. Along with Optimism, the two layer-2 protocols continue to process a rising number of Ethereum transactions.
Are De-Fi projects reliable?
This incident demonstrates the necessity of smart contract security and proper auditing procedures. In addition, it serves as a lesson for users to take caution when investing in new DeFi projects, particularly when some details are insufficient.
Together with the unregulated and vulnerable nature of decentralized finance (DeFi) protocols and organizations, the cryptocurrency industry is a high-value target for cybercriminals, according to the US think tank CFR. The council notes that existing policies have not adequately addressed the scope of pre- and post-compromise considerations.
It is unclear what measures Hope Finance will take to resolve the vulnerability and repay affected subscribers. The DeFi space continues to endure growing pains as it explores new boundaries in decentralized finance, and it is imperative that projects maintain vigilance about security.
Stay posted here at Tech Times.
Related Article: CryptoWatch: Paul Pierce's Settlement, Cryptocurrency Scams, and New Malware in the US, UK
