Potential users of an Arbitrum-based decentralized finance (DeFi) project have lost out after a $2 million exploit.
Web3 security firm CertiK flagged the incident on February 21, after an announcement from the Hope Finance Twitter account notified users of the scam. Details of the project were hard to come by. The platform's Twitter account was launched in January 2023 and outlined plans for an algorithmic stablecoin called Hope Token (HOPE), which dynamically adjusts its supply based on the price of ether.
Posts on the account said that shortly after the platform went live on February 20, a Nigerian national carried out the scam and transferred more than $1.86 million to Tornado Cash. A member of the CertiK team told Cointelegraph that the scammers changed the details of the smart contract, resulting in the loss of funds from the Hope Finance genesis protocol: “It appears that the scammers have altered the TradingHelper contract, meaning that when 0x4481 calls OpenTrade on the GenesisRewardPool, the funds will be transferred to the scammers.”
According to a tweet published on Feb. 13, the Hope Finance smart contract was audited by Cognitos officials. Cointelegraph reviewed the audit summary, which flagged two major contract functionality vulnerabilities. This includes incorrect modifiers and the possibility of reentrancy attacks. Despite flagging these vulnerabilities, Cognitos found that the smart contract code was successfully audited.
Following the scam, Hope Finance shared information with users to withdraw pledged liquidity from the protocol through an emergency withdrawal feature. Arbitrum is an Ethereum Layer 2 rollup network that enables exponential scaling of smart contracts. In addition to Optimism, these two layer 2 protocols continue to process a growing number of transactions within the Ethereum ecosystem.
.
