Hacker Steals Tokens from Hedera: Smart Contract Vulnerability Exploited

Hacker Steals Tokens from Hedera

• On March 9, the Hedera Hashgraph distributed ledger reported a security breach in which tokens from its liquidity pool were stolen due to a smart contract vulnerability.
• The hacker attempted to transfer the stolen tokens through the Hashport bridge, triggering an alarm and prompting Hedera to disable IP proxies.
• The token value of Hedera (HBAR) has dropped 9% in the past 24 hours.

Smart Contract Vulnerability Exploited

The developers of the Hedera Hashgraph distributed ledger revealed that some tokens from its liquidity pool were stolen due to a smart contract vulnerability on the mainnet. This vulnerability was exploited by an attacker who targeted DEXs‘ liquidity pools that used code adapted from Ethereum’s Uniswap v2 and deployed on the Hedera Token Service.

Hashport Bridge Triggers Alarm

The hacker’s attempt to transfer the stolen tokens through the Hashport bridge triggered an alarm, causing operators to momentarily stop bridge access. The total amount of stolen tokens is yet unverified by Hedera. However, it is suspected that this attack vector originated from a modification made on February 3 to support Ethereum’s Virtual Machine (EVM) code for use on the HTS.

Proxies Disabled After Attack Discovery

In response to this attack discovery, Hedera successfully disabled IP proxies, cutting off network access as a precautionary measure. The company also recommended token holders verify their account ID and EVM address balances after disabling these proxies for added security assurance. As a result of this breach, HBAR token value has dropped 9% in 24 hours since then, trading at $0.05497 as per CMC as of this writing.

Remedy Underway

Hedera claims to have found the exploit’s „root cause“ and is currently „working on a remedy.“ It remains unknown when or if those affected will see any compensation for their losses or how exactly the company plans on repairing its vulnerable system going forward.