Attackers who exploited a $573,000 vulnerability on multi-chain token bridge Allbridge have earned the company the chance to come forward as a white hat and claim a bounty.
Blockchain security firm Peckshield, which first spotted the attack on April 1, warned Allbridge in a tweet that its BNB chain pool swap prices were being manipulated by individuals acting as liquidity providers and exchangers who were able to drain Binance USD pool of $282,889 $B and $290,868 worth of Tether.
In an April 1 tweet after the hack, Allbridge offered the attackers an olive branch in the form of an undisclosed bounty and a chance to escape any legal consequences. "Please reach out to us via official channels (Twitter/Telegram) or message via tx so we can identify this as a white hat hacker and discuss a bounty in exchange for returning funds," Allbridge wrote.
In a series of separate tweets, Allbridge made it clear they were tracking the stolen funds. With the help of its "partners and community," Allbridge said it was "tracking hackers through social networks." "We continue to monitor the wallets, transactions and associated CEX accounts of individuals involved in the hack," it added.
Allbridge also said it was working with law firms, law enforcement and other programs affected by exploiters. According to Allbridge, its bridging protocol has been temporarily suspended to prevent potential exploitation by its other mining pools; it will be restarted once the vulnerability is fixed. “Additionally, we are deploying a web interface for liquidity providers to enable withdrawal of assets,” it added.
Blockchain security firm CertiK conducted an in-depth analysis of the hacker in a post on April 1, and determined that the method used was a flash loan attack. CertiK explained that the attacker obtained a $7.5 million BUSD flash loan and then initiated a series of USDT swaps before depositing in BUSD and USDT liquidity pools on Allbridge. This manipulated the price of USDT in the pool, allowing the hacker to swap $40,000 of BUSD for $789,632 of USDT.According to a March 31 tweet from PeckShield, 26 crypto projects were hacked in March, resulting in a total loss of $211 million.
Euler Finance’s March 13 hack resulted in a loss of more than 90%, while projects such as Swerve Finance, ParaSpace, and TenderFi suffered other costly attacks.
