Home Web3 SecurityCrypto Hacks & Exploits Hedgey Finance Exploit—April 19, 2024—Detailed Analysis

Hedgey Finance Exploit—April 19, 2024—Detailed Analysis

by ImmuneBytes
Hedgey-Finance-hack-April-2024-detailed-analysis

Overview

On April 19, 2024, Hedgey Finance suffered an exploit that resulted in the loss of approximately $2 million on Ethereum and a significant amount of BONUS tokens on Arbitrum.

The attacker exploited a vulnerability in the project’s ClaimCampaigns contract, exploiting a situation where tokens that had been approved were not subsequently revoked.

This flaw allowed anyone using the createLockedCampaign() function to transfer tokens from the contract to their account. This incident ranked as the second-largest exploit in April 2024.

About Hedgey Finance

This is a free platform built on blockchain technology that allows projects to distribute tokens to their team and investors. Hedgey Finance supports teams by facilitating the creation and management of on-chain token vesting, lockups, claim portals, and associated functionalities.

Root Cause of the Hack

The root cause of the Hedgey Finance breach stemmed from inadequate implementation of input validation within a critical function of the project’s token-locking contracts. The attacker exploited this vulnerability using a flash loan, which allowed them to manipulate the contract into granting unauthorized token transfer approvals.

The createLockedCampaign function, which was vulnerable, is designed to establish a locked or vesting claims campaign. While this function included validation for most parameters, it failed to properly validate the claimLockup parameter. This parameter is critical as it specifies details such as the token locker and is used to index the new locking campaign within the protocol’s smart contract.

Detailed Technical Analysis

The vulnerability arises during the creation and cancellation processes of a campaign within a smart contract. When a campaign is created, tokens are locked in the contract, and an allowance is granted to the user.

However, upon cancellation of the campaign, the contract fails to revoke this allowance for the campaign manager. This oversight allows the manager to retain control over the tokens despite the contract logic attempting to prevent further claims.

Here are the pertinent addresses connected to this incident:

Attacker address: https://etherscan.io/address/0xded2b1a426e1b7d415a40bcad44e98f47181dda2

Attack Contract: https://etherscan.io/address/0xc793113f1548b97e37c409f39244ee44241bf2b3

Vulnerable Contract: https://etherscan.io/address/0xbc452fdc8f851d7c5b72e1fe74dfb63bb793d511

Attack Transactions: https://etherscan.io/tx/0xa17fdb804728f226fcd10e78eae5247abd984e0f03301312315b89cae25aa517
https://etherscan.io/tx/0x2606d459a50ca4920722a111745c2eeced1d8a01ff25ee762e22d5d4b1595739

Here are the steps detailing how the attack unfolded:

Step 1: The attacker initiated the exploit by calling the createLockedCampaign() function. During this call, approval was mistakenly granted to the tokenLocker, which in this case was the attacker’s contract at address 0xC793113F1548B97E37c409f39244EE44241bF2b3. This enabled the attacker to manipulate the contract and obtain unauthorized access to the tokens.

Hedgey Finance Hack

Step 2: Subsequently, the attacker cancelled the campaign within the same transaction. The cancelCampaign() function withdrew tokens to the tokenLocker but failed to revoke the previously granted approval.

Hedgey Finance Hack - April 2024

Step 3: The attacker then executed another transaction, likely to preempt bot front-running, using the approved USDC transfers to move tokens from the victim contract to their account.

Step 4: The Ethereum Mainnet victim contract lost assets, including USDC, NOBL, and MASA tokens. All the stolen funds were converted to DAI and transferred to an externally owned account (EOA), which currently holds assets worth approximately $2,173,325 as of now.

Step 5: On the Arbitrum chain, the attacker managed to abscond with more than 77.74 million BONUS tokens. The address suspected to be under the hacker’s control now possesses assets valued at around $42,624,729 at the time of this writing.

Hack Aftermath

Following the exploit on the Hedgey Token Claim Contract, the team quickly acknowledged the incident and advised community users to cancel their active claims to mitigate any additional impact. This proactive approach aimed to mitigate losses and reassure stakeholders.

Mitigation Steps

Mitigation steps for issues related to lack of input validation and flash loans in smart contracts include:

Implement Robust Input Validation: Ensure all user inputs and parameters are thoroughly validated to prevent unauthorized operations or manipulations. Verify data types and ranges, ensuring inputs adhere to specified formats and constraints.

Use Modifiers and Access Controls: Employ modifiers and access control mechanisms to restrict functions to authorized users only. This helps prevent unauthorized entities from interacting with critical contract functions.

Implement Reentrancy Guards: Use checks-effects-interactions pattern and reentrancy guards to prevent reentrancy attacks. Ensure that changes to the contract state are executed before interacting with external contracts or transferring funds.

Limit External Calls: Minimize or avoid external calls within critical functions, especially those involving token transfers or financial operations. Use trusted contract interfaces and thoroughly review external contract interactions.

Monitor and Limit Allowances: Regularly review and limit token allowances granted to contracts and users. Implement mechanisms to revoke allowances promptly after they are no longer needed to prevent misuse or exploitation.

Audit and Test Contracts: Conduct regular security audits by reputable firms to identify and address vulnerabilities. Perform comprehensive testing with both unit tests and integration tests covering edge cases and unexpected inputs.

Implement Circuit Breakers: Consider implementing circuit breakers or emergency stop mechanisms to halt contract functionality in case of suspicious activities or unexpected behaviors. This can mitigate potential damage during an attack.

Conclusion

In conclusion, the exploit on Hedgey Finance underscores the importance of robust security practices in smart contract development. The vulnerabilities exposed, including lack of input validation and susceptibility to flash loan attacks, highlight the need for thorough code audits, rigorous testing, and proactive risk management strategies.

By promptly addressing these issues and implementing stricter validation measures, the project can enhance resilience against future exploits, safeguard user assets, and rebuild trust within the community.

This incident serves as a stark reminder of the evolving threat landscape in decentralized finance (DeFi) and underscores the ongoing efforts needed to ensure the integrity and security of blockchain-based applications.

You may also like