Hack Alert - Hedgy Finance Exploit For ~$44 Million Dollars

Quick Summary

1. DeFi platform Hedgey Finance experienced two separate attacks early Friday (April 19th 2024), resulting in total losses of ~$44 million. One attack targeted the Arbitrum network, resulting in the drainage of $42.8 million worth of ARB tokens, while the second attack occurred on the Ethereum network, leading to the theft of $1.9 million.

2. Less than two hours after the first attack, the Hedgey Finance team acknowledged the incident and urged users to cancel any active claims on their platform. They issued a security alert via social media, advising users to use the "End Token Claim" button on the website.

3. The exploit's root cause was identified as the absence of input validation on user parameters, allowing attackers to manipulate and gain unauthorized token approvals.

4. The attacker initiated a flash loan of $1.3 million USDC from Balancer to manipulate the claimLockup parameter within the createLockedCampaign function of the vulnerable contract.

5. Following the flash loan, the attacker executed a call to the cancelCampaign function, allowing them to cancel the campaign and retrieve approved but unclaimed assets.

6. The attacker leveraged the approved tokens to transfer assets from the victim contract to themselves, draining the Ethereum Mainnet of USDC, NOBL, and MASA tokens, which were subsequently swapped to DAI.

7. The exploit resulted in losses of approximately $2.1 million on the Ethereum Mainnet, with all stolen funds swapped to DAI and transferred to an external address.

8. On the Arbitrum network, the attacker stole over 77.74 million BONUS tokens, totaling approximately $42.6 million, which were transferred to an address likely controlled by the hacker.

How To Protect Myself?

Use https://revoke.cash to revoke the approvals of the vulnerable contract.