BlocksInform
Lendhub, a relatively small interline crypto lending platform operating on heco, was exploited for $6 million at the beginning of January.
Possible attack only due to improper encryption.
The attack was performed because of an improperly executed withdrawal of a deprecated cToken IBSV. Its replacement, which was already active, had an identical price point at the time, which allowed the unknown bad actor to manipulate the pricing and drain around $6 million worth of crypto from the platform.
According to blockchain security researcher Halborn, a proper analysis of the attack will be difficult to carry out as the smart contracts responsible for the price of the two tokens were both unverified. In addition, the smart contracts themselves were not attacked, just the chips themselves, which should not have been listed at the same time.
"While relevant smart contracts are not audited—which makes it difficult to do a thorough analysis—the attacker did not need to exploit the vulnerabilities of smart contracts to carry out this attack. The attack was only possible because two concurrent versions of the same token were commercially available."
Partial Withdrawal on the Spot
Just over 1100 ETH, worth about $1.79 million at the time, were sent to TornadoCash mere hours after the exploit.
However, the remaining stolen funds seem to be in motion again, according to the two peckshield and beosin.
2415 ETH, worth over $3.8 million at the time this article was written, has been sent from a wallet associated with the attack to TornadoCash.
#PeckShieldAlert ~2,415.4 $ETH (~3.85M) into Tornado Cash from @LendHubDefi exploiters
LendHub has been exploited, and $6M cryptos value has been stolen from its protocol on January. 12.https://t.co/vDxHlTgR0o pic.twitter.com/8FZY3v2Fe3
— PeckShieldAlert (@PeckShieldAlert) February 27, 2023
The total amount transferred to TornadoCash is 3515.4 EPF, with a value of more than 5.7 million dollars. The remaining hundreds of thousands are still hidden in the attacker's wallet and will likely be sent to a crypto mixing table in the near future.
Thankfully, there is a silver lining to this story – this was the biggest attack on a crypto company during the month of January and is a far cry from the Harmony or Ronin attacks of last year. In total, in January, approximately $8.8 million in cryptography was lost due to piracy, representing a reduction of more than 90 per cent in the value of the theft from January 2022.
Whether it's because developers are beginning to take safety more seriously or other factors, it's important to keep in mind that cybersecurity is a constant struggle – and whether developers want to keep a positive record, They better keep an eye on things.
