Project name: Hector Network
Project type: DeFi
Date of exploit: Jan 15th, 2024
Asset loss: $2.7M
Vulnerability: Centralization Risk / Private Key Leak / Inside Job
Date of audit conducted: Dec 19th, 2023
Conclusion: Out of audit scope
The affected codebase is related to Hector Network’s liquidation process, which distributes the treasury to the token holders from the Fantom Chain to the ETH Mainnet. For example, users can register HEC on Fantom and claim USDC on Mainnet based on a rate determined by the backend.
In detail, users will first need to register their wallets with qualifying tokens. A privileged role, "moderator," can call the "AddEligibleWallet()" function with the amount that users can claim. Finally, the registered eligible wallets will be able to claim the assets via mintWithdraw.
The centralized AddEligibleWallet function grants the deployer(i.e., moderator) the capability to designate specific addresses (i.e., in this exploit addresses 0x86D3E3e) as the eligible wallet in transactions 0x1b813d9. The eligible wallet is able to call mintWithdraw
and trigger transferRedemption
to drain assets from the treasury with transactions 0xd1b342c.
In light of the $2.7 million withdrawal incident from Hector Network's contract, we have gathered all the relevant information and are committed to maintaining transparency with the public.
Further examination linked these activities to the centralized "AddEligibleWallet" function. This function permits the deployer(i.e., moderator) to nominate arbitrary addresses as eligible wallets. These eligible wallets have the capability to execute the “mintWithdraw” function and trigger “transferRedemption”, leading to the extraction of assets from the HectorRedemptionTreasury contract.
In conclusion, a CertiK audit report dated December 19, 2023, had previously pinpointed the risks associated with centralization, urging the team to explore alternative approaches to reduce the vulnerability of a single point of failure in centralized roles operation. Despite this, the client expressed their preference to retain the centralized mechanism due to operational reasons.
While CertiK respected the client's decision, the firm maintained its stance that the risk issue was NOT adequately addressed, and thus, the status of the findings remained classified as "Acknowledged."