Every week, if not every single day, decentralized finance (DeFi) protocols are inevitably exposed to various attacks and scams. Bugs in the code or developers absconding with funds: these scenarios seem endless. Today is no different, as Hope Finance protocol has been put under the spotlight due to an alleged rug pull.
Hacker Attacked 2 Hours After Hope Finance Launch
Hope Finance was a promising project; unfortunately, cut short by an unexpected scam. After successfully launching on Arbitrum’s layer 2 on February 20, the protocol quickly saw many users transfer funds to its platform. Yet only two hours after launch and just minutes after deposits had been made, Hope Finance announced that a malicious actor had stolen $1.8 million in user funds.
Hope Finance took to Twitter to inform users of the scammer’s presence, including a picture of them with what is likely an altered identity card as part of their fraudulent KYC procedure. Once they noticed funds had gone missing, Hope released another statement urging users on how to properly use the emergency withdrawal feature for added protection.
The Hacker Could Be One Of The Hope Members
Despite the unclear specifics of this case, it appears that we may be facing a rug pull. As per information gathered by Certik, the attack was actually initiated by one of the Hope Finance team members. They initially released a counterfeit Router smart contract and then reconfigured Hope’s “SwapHelper” agreement to use said fake router – verified when all three keyholders from the multi-sig signed off on it.
Furthermore, the “_swapExactTokenForTokens” variable was altered to redirect toward the scammer’s wallet address. Therefore, whenever a USDC loan is established on the protocol, its WETH gets sent to TradingHelper for conversion into USDC– only this time, it wound up transferring all of those funds straight into the hacker’s pocket following their modifications!
All in all, the assailant was able to pilfer approximately $800,000 of WETH and $1 million of USDC. Nonetheless, the attacker’s culpability is still uncertain. Unsurprisingly, they hastily shunted their loot through Tornado Cash protocol to obscure any tracks left behind.
Hope Finance Team Ignored Security Warnings
It is no surprise that Hope Finance encountered such a scenario. It appears that their contractual protocols were less than ideal, as evidenced by the audit conducted by Cognitos on February 7, which revealed numerous vulnerabilities, including two major ones. Evidently, these contracts contained an exploitable loophole allowing for reentrancy attacks to be performed.
To add, based on the information Cognitos revealed after the attack, Hope Finance’s teams apparently did not take into account the audit results. Out of 4 rounds of code testing post-audit, only 10% of the vulnerabilities outlined were addressed. This negligence emphasizes how essential it is to evaluate and revise your security measures following an audit to ensure safety!
You may be interested in: UK Retailers Lay Thousands of Workers Due to Uncertainty in the Markets
