Hope Finance Loses All Hope

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Hope Finance Twitter

Hope Finance is an ecosystem built on the Arbitrum network and its token $HOPE is dynamically adjusted relative to the price of $ETH, instead of being pegged to a stable coin. The team aimed to make $ETH the main medium of exchange on the Arbitrum network by providing a mirrored, liquid asset to $ETH. The project underwent two audits prior to launch and completed KYC by Audit Rate Tech. However, during the Genesis launch, funds were drained from the GenesisRewardPool contract, and it appears to have been a scam orchestrated by the project's team. The team approved the transaction preparing the rug, and faked KYC is not hard to come by. Therefore, the situation seems hopeless, and users should not get their hopes up.

About Hope Finance

[1][2][3][4][5][6]

"The $HOPE algorithmic token serves as the backbone of a rapidly growing ecosystem aimed at bringing liquidity and new use cases to the Arbitrum network.

The protocol's underlying mechanism dynamically adjusts $HOPE's supply, pushing its price up or down relative to the price of $ETH."

"Unlike previous algorithmic tokens, $HOPE is not pegged to a stable coin— it is instead pegged to $ETH. Hope Finance believes in the potential of the Arbitrum network, and has chosen to align its mission to both provide value to and derive value from $ETH's future growth. In addition to existing and future use cases such as ETH Pad, $HOPE aims to make ETH the main medium of exchange on the Arbitrum network: this will be achieved by providing a mirrored, liquid asset to $ETH.

One of the primary shortcomings of past algorithmic tokens has been a lack of use cases, leaving no good reason for somebody to want to use or hold them. In order to successfully maintain the peg in the long-run, the Hope Finance team will maintain a focus on innovation around enhanced functionality and use cases."

"We are presented on #Apeoclock! Hype hype hype!"

"Attention all Genesis investors! Ownership has been renounced, making it safe to deposit and refer friends to earn referral profit. Don't miss out on this opportunity!"

"Exciting news for crypto traders! Genesis starts in just 30 minutes, and we're thrilled to announce that leverage trading will be available during the genesis. Get ready to maximize your gains with $wETH and $HOPE trading on our platform!" #trading #DeFi #genesislaunch #yield"

"The project had two audits prior to launch, by Cognitos (the code passed despite auditors flagging two ‘major’ issues, neither of which related to the mechanism used to rug) and AuditRateTech (who appear to have deleted the audit report, although a KYC certificate still remains on their site)."

"HOPE FINANCE HAS SUCCESSFULLY COMPLETED KYC BY AUDIT RATE TECH."


This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

"In preparation for the @hope_fin exit scam, a fake router was deployed in txn 0xf188.

The SwapHelper was then updated to use this fake router in txn 0xc9ee. This txn was approved by all 3 owners of Hope’s multisig 0x8ebd.

In txn 0x1b47, _swapExactTokenForTokens variable was set to wallet address, 0x957D.

When GenesisRewardPool.openTrade() is called to borrow USDC, GenesisRewardPool transfers WETH to TradingHelper to convert to USDC.

Instead of swapping, USDC was sent to 0x957D.

As the _uSDC address was deliberately left empty, the receiving address (0x957D) was passed to v2 and the swapExactTokensForTokens() transferred 477 WETH to 0x957D."

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Hope Finance Loses All Hope
Date Event Description
February 19th, 2023 11:41:37 PM MST Smart Contract Deployed The original smart contract was deployed[7].
February 20th, 2023 6:30:00 AM MST 30 Minutes Until Launch The Hope Finance Twitter posts that "[g]enesis starts in just 30 minutes" and their followers should "[g]et ready to maximize [their] gains"[8].
February 20th, 2023 7:00:00 AM MST Launch Announced Hope Finance announces the launch on Twitter and you can now "[t]rade like a pro[fessional] with leverage". "Don't miss out on this opportunity to boost your bags."[9]
February 20th, 2023 8:48:00 AM MST 10 Minutes Until Launch "10 minutes before the start! Join to hear more about Hope Finance!"[10]. This includes a reference to a Tweet by James Pelton that has since been removed.
February 20th, 2023 10:31:41 AM MST WETH Removed From Liquidity Pool A total of 477.482401142987598565 Wrapped Ethereum is removed from the Hope Finance liquidity pool contract. The funds are transferred through two wallets in the same transaction[11].
February 20th, 2023 10:31:47 AM MST USDC Removed From Treasury An additional 1,061,759.80075 USDC is removed from the Hope Finance liquidity pool, and swapped from one address to another in the same transaction[12].
February 20th, 2023 3:33:00 PM MST Scammer Doxxed on Twitter Photos and ID are published of the alleged scammer on Twitter[13].
February 21st, 2023 1:02:00 AM MST Published Withdraw Instructions The Hope Finance team published instructions for users to withdraw their liquidity from the staking pool[14].
February 22nd, 2023 7:51:00 AM MST Rekt Article Published The incident is shared to the Rekt newsfeed and leaderboard[15][16].

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?


"Funds were drained (~$800k in WETH and ~$1M in USDC) from GenesisRewardPool contract at launch."

"In preparation for the @hope_fin exit scam, a fake router was deployed in txn 0xf188.

The SwapHelper was then updated to use this fake router in txn 0xc9ee. This txn was approved by all 3 owners of Hope’s multisig 0x8ebd.

In txn 0x1b47, _swapExactTokenForTokens variable was set to wallet address, 0x957D.

When GenesisRewardPool.openTrade() is called to borrow USDC, GenesisRewardPool transfers WETH to TradingHelper to convert to USDC.

Instead of swapping, USDC was sent to 0x957D.

As the _uSDC address was deliberately left empty, the receiving address (0x957D) was passed to v2 and the swapExactTokensForTokens() transferred 477 WETH to 0x957D."


"For users, the situation seems…

Hopeless."

"It’s possible that this case will end in whoever is responsible being brought to justice…

But don’t get your Hopes up."

Total Amount Lost

The amount removed from the liquidity pool was a mix of Wrapped Ethereum and USDC:

  • 477.482401142987598565 WETH[11] at a closing market price of $1,702.68 USD = $812,999.73 USD.
  • 1,061,759.80075 USDC[12] as an approximate value of $1.00 USD = $1,061,759.80 USD

The total adds up to $1,874,759.54 USD. The amount lost has been estimated at $1,875,000 USD.

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


"SCAMMER!!!! HE SCAMMED COMMUNITY FOR 2 MLN DOLLARS"

"While the official story may be of a dev gone rogue, the tx preparing the rug was approved by all three accounts on the team’s multisig. And faked KYC is not hard to come by."

Twitter Reactions

There were some reactions from Twitter users DividendMiracle[17] and jungjeonnyuseu[18].

Rugged already???

Please give me back my 1.2 eth

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Home - HOPE FINANCE (May 3, 2023)
  2. KYC/Doxx Verification Certificate - Audit Rate Tech (May 3, 2023)
  3. https://auditrate.tech/certificate/scam/Hope_Finance_ID.jpg (May 3, 2023)
  4. Hope Finance Twitter (May 3, 2023)
  5. Hope Finance Farming Contract - Audit | Smart Contract Security Audit (May 3, 2023)
  6. Contracts & Wallets - HOPE FINANCE (May 3, 2023)
  7. Arbitrum Transaction Deploying The Original Contract - Arbiscan (May 3, 2023)
  8. Hope Finance - "Exciting news for crypto traders! Genesis starts in just 30 minutes, and we're thrilled to announce that leverage trading will be available during the genesis. Get ready to maximize your gains with $wETH and $HOPE trading on our platform!" - Twitter (May 3, 2023)
  9. Hope Finance - "Trade like a pro with leverage! Refer > Stake > Earn $HOPE rewards! Don't miss out on this opportunity to boost your bags." - Twitter (May 3, 2023)
  10. Hope Finance - "10 minutes before the start! Join to hear more about Hope Finance!" - Twitter (May 3, 2023)
  11. 11.0 11.1 Removal of 477.482401142987598565 WETH From Hope Finance - Arbiscan (May 19, 2023)
  12. 12.0 12.1 Transaction Moving 1,061,759.80075 USDC From The Treasury - Arbiscan (May 3, 2023)
  13. Hope Finance - "SCAMMER!!!! HE SCAMMED COMMUNITY FOR 2 MLN DOLLARS" - Twitter (May 3, 2023)
  14. Hope Finance - "Steps to withdraw your staked LP from the this [unfortunate] scam protocol" - Twitter (May 3, 2023)
  15. RektHQ - "Abandon Hope all ye who enter here. $1.86M was rugged from @Hope_fin." - Twitter (May 19, 2023)
  16. Rekt - Hope Finance - REKT (May 3, 2023)
  17. DividendMiracle - "Rugged already???" - Twitter (May 3, 2023)
  18. jungjeonnyuseu - "Please give me back my 1.2 eth" - Twitter (May 3, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Hope_Finance_Loses_All_Hope&oldid=4461"