$44 700 000 USD

APRIL 2024

GLOBAL

HEDGEY FINANCE

DESCRIPTION OF EVENTS

Hedgey offers token infrastructure solutions for onchain teams, including token vesting, lockups, grants, and distributions for teams, investors, and communities. Users can create onchain vesting plans with dashboards to track, manage, amend plans, and claim tokens. Hedgey's platform has received positive feedback from users across various organizations and industries. It also provides tools specifically designed for PreToken companies, DAOs, investors, and communities, streamlining token distribution workflows and offering resources and service providers. Hedgey aims to simplify every detail involved in token launches and distributions, providing customizable voting, delegation, and core feature optimizations to keep up with the evolving onchain landscape.

 

"Token infrastructure for onchain teams. Token vesting, lockups, grants and distributions for your team, investors and community."

 

“The #1 token vesting and lockup tools.”

 

"Consensys Diligence audited Hedgey’s Token Lockup and Vesting Plans in June and July of 2023."

 

"Hedgey Finance rocked by $44.7 million flash loan attack across both the Arbitrum and Ethereum platforms."

 

"The root cause of the exploit is the lack of input validation on users' parameters, which allowed the attacker to manipulate and gain unauthorized token approvals.

 

The attacker took a flash loan of $1.3 million USDC from Balancer to abuse and manipulate the claimLockup parameter within the createLockedCampaign function of the exploited contract to trick this vulnerable contract into approving USDC token transfer to the attack contract."

 

"It appears the lockup tools were not secure enough, as the thieves drained just over $2.1m worth of assets from the Ethereum contract, consisting of USDC, NOBL, and MASA tokens."

 

"On the Arbitrum chain, the attacker was able to steal roughly $42.6m worth of BONUS tokens."

 

"Security Alert: We're investigating an attack on the Hedgey Token Claim Contract. If you have created active claims, please cancel them using the "End Token Claim" button at https://app.hedgey.finance/token-claims " "We are are actively working with our auditors and team to understand the attack and stop any ongoing attack. We will share more information as we learn more."

 

"NobleBlocks(NOBL) gave a detailed security report to their community. Bonus Block(BONUS) briefly posted “Our vestings are safe" and MASA seemed more concerned with hosting Twitter Spaces than informing their community about the exploit."

 

"We regret to inform you of a recent security breach that impacted @hedgeyfinance, a prominent token infrastructure platform on which our $NOBL tokens are utilized. During this incident, attackers exploited a business logic flaw in Hedgey’s ClaimCampaigns smart contract, resulting in a substantial loss of $44.7 million across both the Arbitrum and Ethereum platforms. The attackers utilized flash-loaned funds to manipulate the 'createLockedCampaign' function, which led to unauthorized token transactions, draining USDC, NOBL, and MASA tokens from the victim contract."

 

"Following the attack, we have been in direct communication with Hedgey and an MEV bot operator, Coffeebabe, who intervened during the attack. Coffeebabe successfully front-ran several transactions made by the hacker, a strategic move intended to mitigate the effects of the hack. Efforts to recover NOBL tokens and ETH are ongoing, and these assets will be used to repurchase NOBL to restore the affected balances as soon as they are successfully recovered."

 

"Update on this morning's exploit. We will be doing a full post mortem in the coming days. Right now we are focused on working with our impacted users of the token claims product and recovering lost funds. The exploit was specific to our token claims contracts with funds that had not been claimed. It did not impact users of our token vesting, investor lockup, treasury lock, or timelock contracts. It did not impact recipients who have already claimed streaming allocations from a token claim. We have been working with Consensys Diligence and SEAL_Org to manage this stage of damage control and recovery. We have sent the creator of the exploit a message on Etherscan to begin recovering funds. In the coming days, we will be focusing on working with our impacted users and recovering funds. Expect updates as we continue working and a full post-mortem review in the coming days."

 

"It is important to note that all compromised tokens have been sold, and the market is stabilizing. We believe it is now safe to engage with $NOBL tokens again, as all other tokens remain securely locked, and those stolen have been liquidated by the hacker and some attempted recoveries are in process.

 

We appreciate the vigilance and rapid response of everyone involved, and we are committed to ensuring that all necessary actions are taken to safeguard our community's assets. Please stay tuned for further updates as we continue to work through this issue and reinforce our platform's security measures."

 

"Hedgey sent an onchain message to the attacker looking to get in touch and discuss next steps. They’re assuming it is a white hat and even told them “well done” for finding the exploit."

Hedgey offers token infrastructure solutions for onchain teams, including token vesting, lockups, grants, and distributions for teams, investors, and communities. The exploit occurred due to insufficient input validation on user parameters, enabling the attacker to misuse token approvals within the vulnerable contract, ultimately transferring funds to their own contract after taking a flash loan from Balancer. The Hedgey Finance team said the attack was "well done" and has attempted to reach out to the attacker for negotations.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.