Project name: Hashflow
Project type: DEX
Date of exploit: June 14th, 2023
Asset loss: $640,000
Vulnerability: Lack of Access Control
Date of audit report publishing:
Conclusion: Out of Audit Scope
Hashflow is a multichain decentralized exchange (DEX) that enables users to trade assets.
The vulnerable contract is unverified and the vulnerable 0x1ce5
function contains a transferFrom
function the attacker could trigger to steal user funds when approved.
The attacker contract appears to have a recovery function that users can call to get their money back
On June 14th, 2023, Hashflow experienced a loss of ~$605k across five chains. The vulnerable contract is unverified and the vulnerable 0x1ce5
function contains a transferFrom
function the attacker could trigger to steal user funds when approved.
The vulnerable function was absent from the audited codebase, meaning it is out of the audit scope.