Reports

Incident Analysis

Post Mortem: Hashflow

1/7/2024

Project name: Hashflow

Project type: DEX

Date of exploit: June 14th, 2023

Asset loss: $640,000

Vulnerability: Lack of Access Control

Date of audit report publishing:

April 13th, 2022: Hashflow
May 22nd, 2022: Hashflow - Governance Claimer
Sep 19th, 2022: Hashflow-Audit3

Conclusion: Out of Audit Scope

Details of the Exploit

Background

Hashflow is a multichain decentralized exchange (DEX) that enables users to trade assets.

Nature of the Vulnerability

The vulnerable contract is unverified and the vulnerable 0x1ce5 function contains a transferFrom function the attacker could trigger to steal user funds when approved. The attacker contract appears to have a recovery function that users can call to get their money back

CertiK Audit Overview

hash1 hash2 hash3

Conclusion

On June 14th, 2023, Hashflow experienced a loss of ~$605k across five chains. The vulnerable contract is unverified and the vulnerable 0x1ce5 function contains a transferFrom function the attacker could trigger to steal user funds when approved.

The vulnerable function was absent from the audited codebase, meaning it is out of the audit scope.

Related Stories

Reports

Incident Analysis

Post Mortem: Hector Network

In light of the $2.7 million withdrawal incident from Hector Network's contract, we have gathered all the relevant information and are committed to maintaining transparency with the public.

1/17/2024

Reports

Incident Analysis

Post Mortem: Fintoch

On May 5th, 2023, the Fintoch was rugpulled, leading to a loss of ~$31.6M.

1/8/2024

Reports

Incident Analysis

Post Mortem: Sushiswap

On April 9th, 2023, the RouteProcessor2 in Sushiswap was exploited due to missing validation on the input with processRoute function. The total loss is around $ 3.3 M.

1/8/2024

Largest Blockchain Security Auditor

Ready to take the next step? Connect with our sales team to request your free quote and secure your project today!

Client Testimonials