ARB
Sentiment Liquidity Protocol Hacked for $1 Million: How the Attack Happened
By
Soumen Datta
April 5, 2023
2
MINS
The Sentiment team has confirmed the attack, paused the main contract, and implemented a fix for the vulnerability with the help of third-party security auditors.
Hacker Took Advantage of Re-Entrance Vulnerability
Sentiment liquidity protocol on the Arbitrum blockchain was hacked on April 4 for almost $1 million in various tokens, including wrapped Bitcoin and Ether.
The Sentiment team members confirmed the attack, affirming about unusual borrowing activity identified as a malicious exploit. In order to deal with the situation, the team paused the main contract and disabled all functionality except withdrawals.
Possible Cause for the Attack
The attacker apparently stole the tokens via a re-entrance vulnerability and then switched them to the Ethereum chain. As CertiK points out, the fundamental reason is Balancer’s read-only reentry.
The price oracle used to determine the price is based on the asset balances in the pool and the total amount of LP tokens. As reported, by using the Balancer vault’s ‘joinPool’ function, the exploiter increased the overall supply of the LP coin by 606 WBTC, 10,000 WETH, and 18 million USDC. The funds were then withdrawn using exitPool(), which sent 606.8 WBTC, 1,000 ETH, and 17.9 million USDC sequentially.
A fallback function reduces demand, but the pool balances of WBTC, WETH, and USDC remain the same, so the price is tilted, allowing the attacker to borrow many assets at the slanted price.
Sentiment is now examining the protocol’s stolen cash. In addition, the team is working with law enforcement to identify the hacker and recover the funds.
In collaboration with third-party security auditors, the Sentiment team released a fix resolving the vulnerability, allowing users to repay debts and unwind their positions.
Sentiment also sent a message to the hacker, offering to let them keep 10% of the stolen funds as a bounty if they returned the rest. In the letter, the company promised a $95,000 payment if the assets were returned before 8 a.m. UTC on April 6.
In the event the prize is not returned, Sentiment will distribute it to those who provide information about the hacker. The liquidity protocol on Arbitrum was audited by two crypto security firms before.
Sentiment has a total locked volume (TVL) of $5.8 million, down from $10.76 million on April 4.
What is Sentiment:
Sentiment is a liquidity protocol that enables permissionless undercollateralized borrowing on chain. This protocol aims to address capital inefficiencies in DeFi by offering a primitive-based solution for permissionless, undercollaterated on-chain credit. By implementing onchain hypothecation, Sentiment mitigates the challenge of widespread counterparty risk.
Learn more about Sentiment:
Website | Twitter | Discord
Follow us on Twitter and Instagram to keep up with all the latest news for BNB Chain and crypto.
If you need tools and strategies regarding safety and crypto education, be sure to check out the Tutorials, cryptonomics explainers, and Trading Tool Kits from BSC News.
Want the latest DeFi secrets delivered directly to your inbox every week from a leading industry expert? Instantly learn about strategies that could have you earning APYs of up to 69,000% with DeFi Maximizer. Sign up today and enjoy a 25% discount off of your first month!
Looking for a job in crypto? Check out the CryptoJobsNow listings!
Author
Soumen Datta
Soumen Datta
Soumen is an experienced writer in cryptocurrencies, DeFi, NFTs, and GameFi. He has been analyzing the space for the last several years and believes there is a lot of potential with blockchain technology, even though we are still at an early stage. In his spare time, Soumen enjoys playing his guitar and singing along. Soumen holds bags in BTC, ETH, BNB, MATIC, and ADA.
