Introduction
On 19 April 2024, Hedgey Finance was exploited for approximately $2 million on Ethereum in addition to a number of BONUS tokens on Arbitrum. The attacker took advantage of an oversight in the project’s ClaimCampaigns contract in which token approvals were not revoked, meaning anyone who used the createLockedCampaign() function could transfer tokens from the contract to themselves. This incident was the second largest exploit to have occurred in April 2024.
Vulnerability
Vulnerable Contract: ClaimCampaigns.sol 0xBc452fdC8F851d7c5B72e1Fe74DFB63bb793D511
The attacker began by calling the createLockedCampaign() function. During this call an approval is granted to tokenLocker which in the case of this attack was the exploiter’s contract 0xC793113F1548B97E37c409f39244EE44241bF2b3.
The attacker then cancelled the campaign within the same transaction. The cancelCampaign() function withdraws tokens to the tokenLocker but it doesn’t revoke the approval that was granted.
With the approvals left in place, the attacker can initiate a transferFrom and transfer approved tokens.
Attack Flow
This attack flow is based on the initial exploit by 0xDed2b1a426E1b7d415A40Bcad44e98F47181dda2 in which they took 1.3m USDC. The attack happened across two transactions. The first of which exploited the vulnerability and the second transferred assets.
-
The attacker flash loaned 1.305m USDC from Balancer and called createLockedCampaign() from the ClaimCampaigns contract. 0xbc452fdc8f851d7c5b72e1fe74dfb63bb793d511. This process granted the attacker approval to spend the 1.305m USDC they transferred to the ClaimCampaign contract.
-
The attacker then called cancelCampaign() and withdrew the USDC which was repaid to Balancer.
-
The attacker used the transferFrom() function and initiated a transfer of 1,303,910 USDC. As the cancelCampaign() function didn’t revoke the approval granted, the USDC was transferred.
-
The above process was repeated by the attacker to take NOBL tokens which were sold for ~$600k.
Since initial exploit, copycat exploiters took further assets, approximately $20k in MASA tokens and 78,148,820 BONUS tokens.
Calculating the Losses
Since the Hedgey Finance incident, we have seen multiple misreports that the overall loss was in the region of $44 million. The reason behind this inaccurate figure was due to the amount of BONUS tokens that were stolen and multiplying that figure by the price of one BONUS token. This figure does get you to ~$44 million, however this calculation does not take into account the liquidity backing the token.
The attacker’s wallet still has a balance of 76.8m BONUS tokens. A further 200k tokens were transferred to a Bybit account and ~900k tokens remain in additional wallets.
A similar example occurred in late 2023 with the MultiChain hack which initially saw assets worth over $1 billion lost. However, the vast majority of these tokens were illiquid, which the crypto security community correctly identified and revised losses accordingly. Another recent example came from the Curio exploit where a malicious proposal was passed resulting in the minting of ~ 1 trillion CGT tokens. When multiplying the token price with the amount we are presented with an initial loss of $39 billion, however the token doesn’t have anywhere near that much liquidity. This incident has also been oddly misreported as $39 million in losses, which we assume is a miscount of two decimal places as the attacker only gained $173k.
When calculating the losses of an incident, it is vital to consider the liquidity backing an asset rather than just token balance * price.
Stolen Fund Movement
CertiK has identified three attackers, with the majority of lost funds attributed to one address on the Ethereum network. A second copycat exploiter was also identified on the Ethereum network and is linked to a previous exploit on Unizen which can be seen in the below transaction.
The third exploiter that we have identified that attacked Hedgy Finance on Arbitum who stole 78,148,820 BONUS tokens on the Arbitrum network. The attacker was initially funded via Axelar bridge with the sending wallet EOA 0xC7241E27Ee4B8D32b59a10E848B48530047a8c5b on the Ethereum network.
This address has previously been involved in malicious activity, such as an exploit on an old approval contract belonging to Kardia Bridge resulting in the loss of 10.5 WETH as the victim hadn’t revoked permissions.
Conclusion
In a relatively quiet month for crypto exploits, Hedgey Finance was the costliest incident due to a code vulnerability that we recorded in April, and the second largest incident overall in the same month. A single line of missing code to revoke user’s approvals was enough to cost the project over $2m in losses. Such coding errors can be found in smart contract audits conducted by CertiK.
Visit https://www.certik.com/products/smart-contract-audit to find out more about our auditing process!
