Hedgey Finance Flash Loan Attack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 12:45, 22 April 2024 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/hedgeyfinanceflashloanattack.php}} {{Unattributed Sources}} thumb|Hedgey Finance Logo/HomepageHedgey offers token infrastructure solutions for onchain teams, including token vesting, lockups, grants, and distributions for teams, investors, and communities. The exploit occurred due to insufficient input validation on user parameters, enabling the attacker to misuse token...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Hedgey Finance Logo/Homepage

Hedgey offers token infrastructure solutions for onchain teams, including token vesting, lockups, grants, and distributions for teams, investors, and communities. The exploit occurred due to insufficient input validation on user parameters, enabling the attacker to misuse token approvals within the vulnerable contract, ultimately transferring funds to their own contract after taking a flash loan from Balancer. The Hedgey Finance team said the attack was "well done" and has attempted to reach out to the attacker for negotations.

This is a global/international case not involving a specific country.[1][2][3]

About Hedgey Finance

Hedgey offers token infrastructure solutions for onchain teams, including token vesting, lockups, grants, and distributions for teams, investors, and communities. Users can create onchain vesting plans with dashboards to track, manage, amend plans, and claim tokens. Hedgey's platform has received positive feedback from users across various organizations and industries. It also provides tools specifically designed for PreToken companies, DAOs, investors, and communities, streamlining token distribution workflows and offering resources and service providers. Hedgey aims to simplify every detail involved in token launches and distributions, providing customizable voting, delegation, and core feature optimizations to keep up with the evolving onchain landscape.

"Token infrastructure for onchain teams. Token vesting, lockups, grants and distributions for your team, investors and community."

“The #1 token vesting and lockup tools.”

"Consensys Diligence audited Hedgey’s Token Lockup and Vesting Plans in June and July of 2023."

"Hedgey Finance rocked by $44.7 million flash loan attack across both the Arbitrum and Ethereum platforms."

"The root cause of the exploit is the lack of input validation on users' parameters, which allowed the attacker to manipulate and gain unauthorized token approvals.

The attacker took a flash loan of $1.3 million USDC from Balancer to abuse and manipulate the claimLockup parameter within the createLockedCampaign function of the exploited contract to trick this vulnerable contract into approving USDC token transfer to the attack contract."

"It appears the lockup tools were not secure enough, as the thieves drained just over $2.1m worth of assets from the Ethereum contract, consisting of USDC, NOBL, and MASA tokens."

"On the Arbitrum chain, the attacker was able to steal roughly $42.6m worth of BONUS tokens."

"Security Alert: We're investigating an attack on the Hedgey Token Claim Contract. If you have created active claims, please cancel them using the "End Token Claim" button at https://app.hedgey.finance/token-claims " "We are are actively working with our auditors and team to understand the attack and stop any ongoing attack. We will share more information as we learn more."

"NobleBlocks(NOBL) gave a detailed security report to their community. Bonus Block(BONUS) briefly posted “Our vestings are safe" and MASA seemed more concerned with hosting Twitter Spaces than informing their community about the exploit."

"We regret to inform you of a recent security breach that impacted @hedgeyfinance, a prominent token infrastructure platform on which our $NOBL tokens are utilized. During this incident, attackers exploited a business logic flaw in Hedgey’s ClaimCampaigns smart contract, resulting in a substantial loss of $44.7 million across both the Arbitrum and Ethereum platforms. The attackers utilized flash-loaned funds to manipulate the 'createLockedCampaign' function, which led to unauthorized token transactions, draining USDC, NOBL, and MASA tokens from the victim contract."

"Following the attack, we have been in direct communication with Hedgey and an MEV bot operator, Coffeebabe, who intervened during the attack. Coffeebabe successfully front-ran several transactions made by the hacker, a strategic move intended to mitigate the effects of the hack. Efforts to recover NOBL tokens and ETH are ongoing, and these assets will be used to repurchase NOBL to restore the affected balances as soon as they are successfully recovered."

"Update on this morning's exploit. We will be doing a full post mortem in the coming days. Right now we are focused on working with our impacted users of the token claims product and recovering lost funds. The exploit was specific to our token claims contracts with funds that had not been claimed. It did not impact users of our token vesting, investor lockup, treasury lock, or timelock contracts. It did not impact recipients who have already claimed streaming allocations from a token claim. We have been working with Consensys Diligence and SEAL_Org to manage this stage of damage control and recovery. We have sent the creator of the exploit a message on Etherscan to begin recovering funds. In the coming days, we will be focusing on working with our impacted users and recovering funds. Expect updates as we continue working and a full post-mortem review in the coming days."

"It is important to note that all compromised tokens have been sold, and the market is stabilizing. We believe it is now safe to engage with $NOBL tokens again, as all other tokens remain securely locked, and those stolen have been liquidated by the hacker and some attempted recoveries are in process.

We appreciate the vigilance and rapid response of everyone involved, and we are committed to ensuring that all necessary actions are taken to safeguard our community's assets. Please stay tuned for further updates as we continue to work through this issue and reinforce our platform's security measures."

"Hedgey sent an onchain message to the attacker looking to get in touch and discuss next steps. They’re assuming it is a white hat and even told them “well done” for finding the exploit."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Hedgey Finance Flash Loan Attack
Date Event Description
April 19th, 2024 1:02:59 AM MDT Malicious Ethereum Transaction Exploit transaction running which starts to drain funds from the smart contract.
April 19th, 2024 1:23:00 AM MDT Tweet By Cyvers The Cyvers team shares an alert about the exploit.
April 19th, 2024 3:28:02 AM MDT Malicious Arbitrum Transaction A similar attack is played against Arbitrum smart contract and appears to be even more successful.
April 19th, 2024 3:44:00 AM MDT Hedgey Finance Confirmation The Hedgey Finance team confirms the exploit. "We are are actively working with our auditors and team to understand the attack and stop any ongoing attack. We will share more information as we learn more."
April 19th, 2024 10:25:00 AM MDT NobleBlocks Tweet NobleBlocks shares a tweet to their community about the security breach.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $44,700,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Hedgey Finance - Rekt (Apr 22, 2024)
  2. @CyversAlerts Twitter (Apr 22, 2024)
  3. @hedgeyfinance Twitter (Apr 22, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Hedgey_Finance_Flash_Loan_Attack&oldid=5682"