Post Mortem: Hashflow

Project name: Hashflow

Project type: DEX

Date of exploit: June 14th, 2023

Asset loss: $640,000

Vulnerability: Lack of Access Control

Date of audit report publishing:

April 13th, 2022: Hashflow
May 22nd, 2022: Hashflow - Governance Claimer
Sep 19th, 2022: Hashflow-Audit3

Conclusion: Out of Audit Scope

Details of the Exploit

Background

Hashflow is a multichain decentralized exchange (DEX) that enables users to trade assets.

Nature of the Vulnerability

The vulnerable contract is unverified and the vulnerable 0x1ce5 function contains a transferFrom function the attacker could trigger to steal user funds when approved. The attacker contract appears to have a recovery function that users can call to get their money back

CertiK Audit Overview

hash1 hash2 hash3

Conclusion

On June 14th, 2023, Hashflow experienced a loss of ~$605k across five chains. The vulnerable contract is unverified and the vulnerable 0x1ce5 function contains a transferFrom function the attacker could trigger to steal user funds when approved.

The vulnerable function was absent from the audited codebase, meaning it is out of the audit scope.

Post Mortem: Hector Network

In light of the $2.7 million withdrawal incident from Hector Network's contract, we have gathered all the relevant information and are committed to maintaining transparency with the public.

2024年1月17日

报告 ·事件分析

Post Mortem: Fintoch

On May 5th, 2023, the Fintoch was rugpulled, leading to a loss of ~$31.6M.

2024年1月8日