Open in app

Sign in

Write

Sign in

Analysis of the Hedgey Finance Exploit

Resulting in a loss of $44.7 million worth of assets

Satyam
4 min readJul 7, 2024

On April 19th of this year, Hedgey Finance fell victim to a standard flash loan attack by hackers who stole $2.1 million on the Ethereum Mainnet and $42.6 million worth of assets on the Arbitrum network, resulting in approximately $44.7 million lost funds.

Cyvers first reported the exploit, and Hedgey Finance confirmed it a few hours later.

But what does Hedgey finance do?

Background

Hedgey Finance provides a free platform for creating and managing on-chain token vesting, lockups, claim portals, and associated functionalities. It claimed to be "the #1 token vesting and lockup tool," to this day, it does the same even after the exploit. It's so ironic. They will need a lot of work to regain that trust.

Vulnerability Analysis & Impact

On-Chain Details

Attacker Address: 0xDed2b1a426E1b7d415A40Bcad44e98F47181dda2

Attack Contract: 0xC793113F1548B97E37c409f39244EE44241bF2b3

Vulnerable Contract: 0xBc452fdC8F851d7c5B72e1Fe74DFB63bb793D511

Main Attack Transactions: 0x2606d459a50ca4920722a111745c2eeced1d8a01ff25ee762e22d5d4b1595739

Root Cause

The root cause of the hack was the lack of input validation on the user's parameter within a critical function inside the token-locking contracts, which helped the attacker gain access to unauthorized tokens. This token approval vulnerability was created in the ClaimCampaigns Contract (in the line 192).

Locked_VestingTokenPlans/contracts/Periphery/ClaimCampaigns.sol at…

Contribute to hedgey-finance/Locked_VestingTokenPlans development by creating an account on GitHub.

github.com

The attacker started by taking a flash loan and created a new campaign using the createLockedCampaign() Function. The creation of tokenLocker granted the exploiter's contract approval to interact with the token vested under the Hedgey's contract. In the same transaction, the cancelCampaign() function withdraws tokens from the tokenLocker, but it fails to revoke the granted token allowance, although it revoked the claim approval. With the approval still there, the attacker can transfer other unauthorized tokens.

The Attack

Transaction 1: Preparation

  1. The attacker receives $1.3M USDC in flash loan from Balancer for the exploit contract.
  2. Attacker creates campaign with locking $1.3M USDC via the createLockedCampaign() function.
  3. Attacker cancels campaign via the cancelCampaign() function, exploit contract receives the locked $1.3M USDC back and returns it to the Balancer.
The Preparation Transaction Flow: 0xa17fdb804728f226fcd10e78eae5247abd984e0f03301312315b89cae25aa517

Transaction 2: Draining Funds

  1. The cancelCampaign() function does give back the funds but doesn't revoke the allowance for using transferFrom on the USDC token contract.
  2. The attacker used this door to drain $1.3M USDC from the ClaimCampaigns contract using transferFrom on the USDC token contract.
  3. In addition to USDC, a large number of NOBL Tokens were stolen from the ClaimCampaigns contract valued at $0.8M at that time. Also, adding to it, $20K MASA tokens were stolen.
The NOBL token Transaction Flow: 0x47da1ac72d488f746865891c9196c1632ae04f018b285b762b2b564ad1d3a9e5

4. The attacker also utilized the Arbitrum network to exploit the same vulnerability to abscond with more than 77.74M BONUS tokens valued at around $42M at the time of the exploit. On Arbitrum,

Exploiter's address: 0xc7241e27ee4b8d32b59a10e848b48530047a8c5b

Attack Contract: 0xbb52f1723ddf2c84ba2668f4e04712f572cbf780

Exploited Contract: 0xbc452fdc8f851d7c5b72e1fe74dfb63bb793d511

Total Loss

Since the liquid backing of the token is essential to determine the actual value of the tokens stolen, the real loss is much less than the loss reported by multiple reports. The attacker's wallet still has a balance of 76.8M BONUS tokens. A further 200k tokens were transferred to a Bybit account, and ~900k tokens remain in additional wallets. So, the total loss is around $600K on Arbitrum and $2.1M on Ethereum, totaling $2.7M.

76.8M BONUS token on exploiter's address

The flow of Funds

Too complex to explain, I know, and that too in writing. Very difficult. Hopefully, you will understand what took place from the above flow diagram.

Aftermath

Following the hack, the Hedgey team went on X to inform its users about the hack and advise users to cancel their active claims to mitigate any additional impact. Hopefully, it mitigated some potential loss.

Lessons Learned

A reminder of the importance of robust security measures in decentralized finance (DeFi) protocols.

  • Input validation and parameter verification are fundamental safeguards against exploitation.
  • Auditing is essential and helps remove vulnerabilities pre-hack.
  • This incident also highlights the limitations of audits and the importance of real-time transaction security measures. As mentioned before, the detection by Cyvers.
  • Business logic maintenance is crucial in any project's development and design process.
  • The flaw was solved as quickly as adding and deleting a line of code.
Exploit Fixed on ClaimCampaigns.sol

These crypto exploits are a constant reminder of the importance of security in this field. This line of code cost Hedgey around $3M, which is expensive. The question remains: can Hedgey reclaim the trust it has lost?

I hope you like it. For more such content, follow me on Medium or X.

Till then, adiós!

Thank you for reading.

Hedgey
Hack Analysis
Ethereum
Arbitrum

--

--

Satyam
Satyam

Written by Satyam

5 Followers
1 Following

A Dilettante Writer / Blockchain Developer. (satyam.btc, satyvm.eth)

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams