Hope Finance Hacked: $2 Million Stolen

Every week, if not every single day, decentralized finance (DeFi) protocols are inevitably exposed to various attacks and scams. Bugs in the code or developers absconding with funds: these scenarios seem endless. Today is no different, as Hope Finance protocol has been put under the spotlight due to an alleged rug pull.

Hacker Attacked 2 Hours After Hope Finance Launch

Hope Finance was a promising project; unfortunately, cut short by an unexpected scam. After successfully launching on Arbitrum’s layer 2 on February 20, the protocol quickly saw many users transfer funds to its platform. Yet only two hours after launch and just minutes after deposits had been made, Hope Finance announced that a malicious actor had stolen $1.8 million in user funds.

Hope Finance took to Twitter to inform users of the scammer’s presence, including a picture of them with what is likely an altered identity card as part of their fraudulent KYC procedure. Once they noticed funds had gone missing, Hope released another statement urging users on how to properly use the emergency withdrawal feature for added protection.

The Hacker Could Be One Of The Hope Members

Despite the unclear specifics of this case, it appears that we may be facing a rug pull. As per information gathered by Certik, the attack was actually initiated by one of the Hope Finance team members. They initially released a counterfeit Router smart contract and then reconfigured Hope’s “SwapHelper” agreement to use said fake router – verified when all three keyholders from the multi-sig signed off on it.

Hacker Attacked 2 Hours After Hope Finance Launch

Furthermore, the “_swapExactTokenForTokens” variable was altered to redirect toward the scammer’s wallet address. Therefore, whenever a USDC loan is established on the protocol, its WETH gets sent to TradingHelper for conversion into USDC– only this time, it wound up transferring all of those funds straight into the hacker’s pocket following their modifications!

All in all, the assailant was able to pilfer approximately $800,000 of WETH and $1 million of USDC. Nonetheless, the attacker’s culpability is still uncertain. Unsurprisingly, they hastily shunted their loot through Tornado Cash protocol to obscure any tracks left behind.

Hope Finance Team Ignored Security Warnings

It is no surprise that Hope Finance encountered such a scenario. It appears that their contractual protocols were less than ideal, as evidenced by the audit conducted by Cognitos on February 7, which revealed numerous vulnerabilities, including two major ones. Evidently, these contracts contained an exploitable loophole allowing for reentrancy attacks to be performed.

To add, based on the information Cognitos revealed after the attack, Hope Finance’s teams apparently did not take into account the audit results. Out of 4 rounds of code testing post-audit, only 10% of the vulnerabilities outlined were addressed. This negligence emphasizes how essential it is to evaluate and revise your security measures following an audit to ensure safety!

You may be interested in: UK Retailers Lay Thousands of Workers Due to Uncertainty in the Markets

Pieter Aven

Pieter Aven is a business and financial journalist based in Boston covering stories at the intersection of business, technology and finance. He holds a degree in Germanic languages from the University of Brussels and a degree in journalism from Boston University.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button