ARB

Sentiment Liquidity Protocol Hacked for $1 Million: How the Attack Happened

by BSCN

April 5, 2023

chain

The Sentiment team has confirmed the attack, paused the main contract, and implemented a fix for the vulnerability with the help of third-party security auditors.

Hacker Took Advantage of Re-Entrance Vulnerability

Sentiment liquidity protocol on the Arbitrum blockchain was hacked on April 4 for almost $1 million in various tokens, including wrapped Bitcoin and Ether.

The Sentiment team members confirmed the attack, affirming about unusual borrowing activity identified as a malicious exploit. In order to deal with the situation, the team paused the main contract and disabled all functionality except withdrawals.

Possible Cause for the Attack

The attacker apparently stole the tokens via a re-entrance vulnerability and then switched them to the Ethereum chain. As CertiK points out, the fundamental reason is Balancer's read-only reentry.

The price oracle used to determine the price is based on the asset balances in the pool and the total amount of LP tokens. As reported, by using the Balancer vault's 'joinPool' function, the exploiter increased the overall supply of the LP coin by 606 WBTC, 10,000 WETH, and 18 million USDC. The funds were then withdrawn using exitPool(), which sent 606.8 WBTC, 1,000 ETH, and 17.9 million USDC sequentially.

A fallback function reduces demand, but the pool balances of WBTC, WETH, and USDC remain the same, so the price is tilted, allowing the attacker to borrow many assets at the slanted price.

Sentiment is now examining the protocol’s stolen cash. In addition, the team is working with law enforcement to identify the hacker and recover the funds. 

In collaboration with third-party security auditors, the Sentiment team released a fix resolving the vulnerability, allowing users to repay debts and unwind their positions.

Sentiment also sent a message to the hacker, offering to let them keep 10% of the stolen funds as a bounty if they returned the rest. In the letter, the company promised a $95,000 payment if the assets were returned before 8 a.m. UTC on April 6.  

In the event the prize is not returned, Sentiment will distribute it to those who provide information about the hacker. The liquidity protocol on Arbitrum was audited by two crypto security firms before. 

Sentiment has a total locked volume (TVL) of $5.8 million, down from $10.76 million on April 4. 

What is Sentiment:

Sentiment is a liquidity protocol that enables permissionless undercollateralized borrowing on chain. This protocol aims to address capital inefficiencies in DeFi by offering a primitive-based solution for permissionless, undercollaterated on-chain credit. By implementing onchain hypothecation, Sentiment mitigates the challenge of widespread counterparty risk. 

Learn more about Sentiment:

Website | Twitter | Discord

;