LendHub Exploit—Jan 12, 2023—Detailed Analysis

Overview

LendHub, a multi-chain decentralized lending platform operating on both Binance Smart Chain (BSC) and Huobi Eco Chain (HECO), faced a significant security breach on January 12, 2023.

The exploit, announced via LendHub’s Twitter account, resulted in a substantial loss of approximately $6 million.

This incident was primarily attributed to a vulnerability stemming from the simultaneous existence of an old, retired IBSV cToken and a newly introduced token within the platform’s market.

The old IBSV token, which had not been removed from the old market, was priced identically to the new IBSV, creating an exploitable loophole. The exploiter utilized this oversight to manipulate the lending protocol, leading to substantial financial loss for LendHub.

About LendHub

LendHub is a prominent decentralized finance (DeFi) player, offering secure lending services across multiple blockchain networks, namely Binance Smart Chain and Huobi Eco Chain.

Since its inception, LendHub has established itself as a reliable platform for crypto-asset lending, aiming to provide users with efficient and flexible lending services. The platform’s significant Total Value Locked (TVL), which stood at $6 million prior to the exploit, is a testament to its popularity and user trust.

Root Cause of the Hack

The vulnerability stemmed from a discrepancy between a retired IBSV cToken and a new token in LendHub’s market. The old IBSV token, although no longer in use, was not removed from the protocol’s old market. This coexistence of old and new IBSV tokens—both priced according to the new IBSV—created an exploitable situation.

Attack Flow

Initial Setup and Funding

• On January 11, 2023, at 10:11 PM UTC, the exploiter began the preparation for the attack. The initial step involved receiving a fund transfer of 100 ETH from Tornado Cash, a known cryptocurrency tumbler. This transaction was crucial as it provided the necessary funds to execute the exploit.
• ETH Transaction: https://etherscan.io/tx/0xdc560bbaad3972ea3ee012b1cd6829364631b59f30115aa3f78e761818646524

Token Swap and Cross-Chain Transfer

• The exploiter converted the received ETH into Heco Token (HT) and USDT. This was a strategic move to prepare for interaction with the LendHub platform on the HECO chain.
• Following the conversion, the exploiter transferred these tokens cross-chain to the HECO chain, indicating a planned maneuver across different blockchain environments.
• HECO Transaction: https://www.hecoinfo.com/en-us/tx/0x17e47fb60e37ccdbb93394bc82b25ba213b936f7123bc5d4a4a16b043dfacb39

Execution of the Exploit

The exploiter systematically interacted with the vulnerable contracts of LendHub on the HECO chain. This involved several steps, exploiting the existing discrepancy between the old and new IBSV tokens.

a. Token Manipulation and Borrowing:

The attacker utilized Contract 0xafef5… to deposit 659 HBSV tokens into the old HECO market (address 0xdf933…). Due to the protocol’s vulnerability, this deposit was erroneously valued, allowing the attacker to receive a disproportionately large amount of 6,592,539,413,951 IBSV tokens.

The attacker then borrowed 2,106 HDOT tokens from the new HECO market (address 0x6371…) using the inflated IBSV tokens as collateral.

b. Asset Transfer and Reiteration of Exploit:

Following the borrowing, the 659 HBSV tokens were transferred back to the exploiter’s address. This step was crucial as it allowed the exploiter to repeat the process.

The exploiter then replicated steps a and b multiple times, systematically draining HDOT tokens from the new HECO market.

c. Withdrawal of Funds:

Eventually, the exploiter withdrew the accumulated funds from the attack contracts, marking the completion of the exploit.

Asset Tracing and Movement of Stolen Funds

• After executing the exploit, the exploiter’s wallet extracted a significant amount of the crypto assets, including 1,100 ETH (valued at approximately $1.5 million) into Tornado Cash.
• The exploiter’s Ethereum wallet also held around $2.7 million in DAI and USDT.
• Additionally, an Optimism wallet associated with the exploiter holds approximately $1 million in WBTC.
• Cumulatively, across HECO, Ethereum, Optimism, and the funds deposited into Tornado Cash, the exploiter controlled assets worth $5,373,679.79.
• Notably, the latest activities show that on February 27, approximately 2,415 Ether (worth about $3.85 million) was moved to Tornado Cash from the exploiter’s wallet. Hack Aftermath

Immediate Impact on LendHub

The Total Value Locked (TVL) in LendHub suffered a drastic decline, plummeting from $6 million to mere $90,305.

This sharp drop directly resulted from the financial loss due to the exploit and a likely loss of confidence in the platform’s security among users and investors.

Contract Verification Issues

An important factor complicating the aftermath is the unverified status of all contracts on HECO involved in the incident.

This lack of verification obscures the exact configurations and states of the contracts prior to the exploit. Consequently, a full and accurate analysis of the attack and its mechanisms has been hindered, pending further clarification from the LendHub team.

LendHub’s Response

LendHub acknowledged the exploit via its Twitter account but has yet to release a detailed official statement outlining specific response measures or mitigation steps.

This includes any information on potential compensation for affected users, steps taken to secure the protocol against future attacks, or collaboration with blockchain security firms for an in-depth investigation.

Lessons Learnt

The LendHub exploit underscores several critical lessons and highlights essential mitigation steps that can be employed by DeFi platforms to enhance their security and prevent similar incidents. Drawing from the specifics of the LendHub case, the following points are noteworthy:

Regular and Comprehensive Smart Contract Audits

• Conducting thorough and periodic audits of smart contracts can identify vulnerabilities before they are exploited. In the case of LendHub, an audit might have revealed the risks associated with the coexistence of old and new IBSV tokens in the market.

Effective Management of Token Lifecycle

• Properly managing the lifecycle of tokens within a protocol is crucial. This includes the timely removal or deprecation of unused or retired tokens from the market, as their continued presence, as seen in the LendHub exploit, can lead to vulnerabilities.

Cross-Chain Security Considerations

• For platforms operating across multiple blockchains, like LendHub on BSC and HECO, it’s important to consider the unique security challenges of each chain. Cross-chain operations can introduce complex security dynamics that require specialized attention.

Monitoring and Analysis of Transaction Patterns

• Continuous monitoring of transaction patterns can help in early detection of suspicious activities. The LendHub exploit involved repetitive borrowing and redeeming patterns, which could have raised an alert if flagged early.

Rigorous Testing of Contract Upgrades and Changes:

• Any upgrade or change to the existing smart contracts should undergo rigorous testing in a controlled environment to ensure new vulnerabilities are not introduced.

Emergency Response Plan:

• Develop and maintain a robust emergency response plan. This should include procedures for quick action in case of an exploit, such as pausing contract functions and communicating transparently with users.

Educating Users about Safe Practices:

• Regularly educating users about safe investment practices and how to recognize red flags can also contribute to the platform’s overall security.

Collaboration with Security Experts:

• Engaging with blockchain security firms for continuous oversight and consultation can provide an external perspective on potential vulnerabilities and security improvements.

Transparency and Community Involvement:

• Maintaining transparency with the user community, especially regarding changes in smart contracts or tokenomics, can help in garnering community support and potentially identifying vulnerabilities through collective scrutiny.

Utilizing Decentralized Security Tools and Services

Leveraging decentralized security tools and services, such as multi-signature wallets and decentralized monitoring services, can add an extra layer of security.

While not exhaustive, these steps provide a comprehensive approach to mitigating the risks associated with DeFi platforms. Implementing these measures can significantly bolster the security posture of platforms like LendHub, potentially preventing exploits and enhancing user trust in the ecosystem.

Conclusion

The LendHub exploit demonstrates the critical importance of thorough protocol management in the DeFi space. Regular audits and vigilant oversight of smart contract functionalities are essential to prevent similar occurrences.

Hiring expert blockchain security firms like ImmuneBytes for regular audits could significantly enhance the security posture of DeFi platforms.