Holograph Rogue Developer Infinite Minting

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Holograph Logo/Homepage

Holograph is a protocol which assist with the launch of tokens on omnichain. On June 13th, 2024, on of their developers exploited their access to mint 1 billion HLG tokens, which were then sold on the market for various coins. The token price dropped significantly based on the news. The latest update involved the team working on a buyback plan to help restore the protocol.[1][2][3][4][5][6][7][8][9][10][11][12][13]

About Holograph

"The Omnichain Token Layer. Asset issuers use Holograph to mint natively composable omnichain tokens."

"Holograph is an omnichain tokenization protocol, enabling asset issuers to mint natively composable omnichain tokens. Holograph has been used to mint millions of onchain assets, making it one of the most widely used protocols for cross-chain asset production and distribution.

Holograph works by burning tokens on the source chain, sending a message via a messaging protocol to the destination chain, and then reminting the same number of tokens to the same contract address. This unifies liquidity, eliminates slippage, and preserves fungibility across blockchains."

"Holograph facilitates use of a single, unique contract address on all EVM blockchains. Using a strictly enforced deployment process, genesis contracts are seeded across chains, allowing for all subsequent contracts to be derived from them. With this approach, contract addresses remain the same no matter where they are deployed, allowing the protocol to support all existing and future EVM chains. For non-EVM chains, the protocol may be adapted to facilitate tokenization in adherence to their respective execution environments."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"1 billion HLG tokens were minted across nine transactions by the hacker, taking advantage of a smart contract vulnerability — with the first mint on June 13 at 9:47 am UTC, according to Etherscan."

Key Event Timeline - Holograph Rogue Developer Infinite Minting
Date Event Description
June 13th, 2024 3:47:00 AM MDT First Minting Transaction The first of the nine transactions involved in minting the unauthorized HLG tokens.
June 13th, 2024 1:15:00 PM MDT Initial Holograph Tweet The Holograph team posts an initial update to inform the community about the unauthorized minting
June 14th, 2024 1:45:00 PM MDT Holograph Tweet Update The Holograph team shared an update with a high level description of the exploit and what they are doing presently to deal with it.

Technical Details

"On June 13, 2024, Holograph, a blockchain tokenization protocol, encountered a critical smart contract exploit. An unauthorized actor minted 1 billion additional HLG (Holograph) tokens, incurring more than a 60% drop in token value in a duration of ten minutes. The incident had in fact resulted in a severe loss of investor confidence by the time Holograph’s team confirmed it in a statement on X."

"The Omnichain NFT protocol Holograph protocol was exploited, resulting in a loss of approximately $14.4 million. According to the team, a former contractor exploited an infinite mint vulnerability in their smart contract to release an additional 1 billion HLG tokens, which were further dumped. This malicious actor, who had funded the operator contract roughly 26 days before the attack, deployed an unverified contract on Mantle, which was used to mint the additional tokens caused by a function that exploited the protocol's verification method."

"The scam drove Holograph into a financial crisis. Ten minutes after the illegal minting, the market value of HLG tokens fell from about $22 million to less than $10 million, a startling loss of over $12 million. Because the attack raised questions about Holograph’s security protocols, investor trust in the platform was seriously damaged. Worse, the attacker’s quick transfer of a significant amount of HLG tokens to Tether (USDT) further unstabled the HLG market and raised price volatility."

"The malicious actor deployed an unverified contract on Mantle, which was used to mint additional HLG Using a function that exploited the protocol’s verification method, 1 billion HLG was bridged to Ethereum The malicious actor sent 1 billion HLG to various exchanges & proceeded to sell the tokens"

Total Amount Lost

The total amount lost has been estimated at $14,400,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"The Holograph Operator contract has been exploited by a malicious actor, enabling the hacker to mint 1 billion additional HLG

The team has patched the initial exploit & is working with exchange partners to lock the malicious accounts

The team has launched an investigation & is in the process of contacting law enforcement"

"The Holograph hack was perpetuated by a former contractor of the protocol. This was initially theorized based on the fact that the attacker’s address was approved to call the project’s mint function and later confirmed by the Holograph team.

The attacker deployed a malicious smart contract on Mantle that called the protocol’s mint function. Since the attacker’s address was trusted by the contract, they were able to bypass the access controls on the mint function and perform a successful mint. The rogue developer performed nine minting transactions to create a total of 1 billion HLG tokens.

After minting 1 billion new HLG tokens, the attacker bridged them to the Ethereum network, where they began dumping them. While approximately 200 million of the minted tokens were frozen by exchanges, the attacker managed to dump some of them. As a result of the inflated supply, the value of the HLG tokens plummeted by about 80% within the first nine hours of the attack."

Ultimate Outcome

"Holograph is working with security experts to prevent an exploit like this from happening again The malicious actor’s exchange accounts have been frozen on Bybit, Gate, KuCoin, Bitget, & Backpack -- as of today, at least 200 million of the 1 billion additional HLG have been frozen Out of precaution, Bybit, Gate, KuCoin, Bitget, & Backpack have temporarily suspended all HLG deposits & withdrawals"

"A third-party audit of the protocol will be conducted. The team will continue delivering omnichain tokenization infrastructure & applications. More substantive updates will be shared as information is confirmed."

Total Amount Recovered

The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Accessed Jun 20, 2024)
  2. x.com (Accessed Jun 24, 2024)
  3. Holograph Hack: Where 1 Billion Tokens Went - Blockchain Intelligence Group (Accessed Jun 24, 2024)
  4. @holographxyz Twitter (Accessed Jun 24, 2024)
  5. Welcome | Holograph Docs (Accessed Jun 24, 2024)
  6. Overview | Holograph Docs (Accessed Jun 24, 2024)
  7. Complete Guide To Holograph Multichain Deployment Airdrops And Nft Bridging (Accessed Jun 24, 2024)
  8. Yahoo is part of the Yahoo family of brands (Accessed Jun 24, 2024)
  9. Explained: The Holograph Hack (June 2024) (Accessed Jun 24, 2024)
  10. Insider Accused Of Perpetrating Holograph Exploit, Tanking HLG By 50% - The Defiant (Accessed Jun 24, 2024)
  11. Ethereum Transactions Information | Etherscan (Accessed Jun 24, 2024)
  12. https://cointelegraph.com/news/holograph-hacked-for-1-billion-hlg-tokens-worth-14-million (Accessed Jun 24, 2024)
  13. @holographxyz Twitter (Accessed Jun 24, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Holograph_Rogue_Developer_Infinite_Minting&oldid=6064"