Post Mortem: Hector Network

Project name: Hector Network

Project type: DeFi

Date of exploit: Jan 15th, 2024

Asset loss: $2.7M

Vulnerability: Centralization Risk / Private Key Leak / Inside Job

Date of audit conducted: Dec 19th, 2023

Conclusion: Out of audit scope

Details of the Exploit

Background

The affected codebase is related to Hector Network’s liquidation process, which distributes the treasury to the token holders from the Fantom Chain to the ETH Mainnet. For example, users can register HEC on Fantom and claim USDC on Mainnet based on a rate determined by the backend.

In detail, users will first need to register their wallets with qualifying tokens. A privileged role, "moderator," can call the "AddEligibleWallet()" function with the amount that users can claim. Finally, the registered eligible wallets will be able to claim the assets via mintWithdraw.

Nature of the Vulnerability

The centralized AddEligibleWallet function grants the deployer(i.e., moderator) the capability to designate specific addresses (i.e., in this exploit addresses 0x86D3E3e) as the eligible wallet in transactions 0x1b813d9. The eligible wallet is able to call mintWithdraw and trigger transferRedemption to drain assets from the treasury with transactions 0xd1b342c. Screenshot 2024-01-17 at 1.10.58 PM

CertiK Audit Overview

Screenshot 2024-01-17 at 1.11.52 PM Screenshot 2024-01-17 at 1.12.18 PM Screenshot 2024-01-17 at 1.13.32 PM

Conclusion

In light of the $2.7 million withdrawal incident from Hector Network's contract, we have gathered all the relevant information and are committed to maintaining transparency with the public.

Further examination linked these activities to the centralized "AddEligibleWallet" function. This function permits the deployer(i.e., moderator) to nominate arbitrary addresses as eligible wallets. These eligible wallets have the capability to execute the “mintWithdraw” function and trigger “transferRedemption”, leading to the extraction of assets from the HectorRedemptionTreasury contract.

In conclusion, a CertiK audit report dated December 19, 2023, had previously pinpointed the risks associated with centralization, urging the team to explore alternative approaches to reduce the vulnerability of a single point of failure in centralized roles operation. Despite this, the client expressed their preference to retain the centralized mechanism due to operational reasons.

While CertiK respected the client's decision, the firm maintained its stance that the risk issue was NOT adequately addressed, and thus, the status of the findings remained classified as "Acknowledged."