Decentralized proof-of-stake (PoS) blockchain Hedera has finally confirmed a security flaw. In an update, the team behind the platform revealed that the attackers managed to exploit the protocol’s mainnet’s smart contract service code to transfer Hedera token service tokens held by victims’ accounts to their own accounts.
It said the root cause of the issue had been identified by the team and a solution was being worked on. Hedera further pointed out that the attackers targeted accounts that were used as liquidity pools on multiple decentralized exchanges (including Pangolin, SaucerSwap, and HeliSwap), and these accounts used the ported Uniswap v2 derivative contract code to use the Hedera token. Coin services for theft.
Hedera announced it was shutting down network services, initially citing a "network exception" as the reason. In the latest confirmation thread posted by the platform, it stated that the mainnet proxy is still down to prevent attackers from stealing more tokens, thereby removing users’ access to the mainnet. The team is currently working on a solution.
“Once a solution is ready, Hedera council members will sign the transaction to approve the deployment of updated code on mainnet to eliminate this vulnerability, at which point the mainnet proxy will be reopened, allowing normal activity to resume.” Several decentralized applications running on the network have previously flagged suspicious activity. Hashport Bridge, a Hedera-based cross-chain solution, became the first entity to freeze bridge assets after detecting a smart contract breach earlier this week.
So far, Hedera Token Service (HTS) and Hedera Consensus Service (HCS) have been affected by the vulnerability.
DeFi research firm Ignas said the exploit targeted "the decompilation process in smart contracts." On the other hand, some Hedera-based decentralized exchanges advise users to withdraw funds. But later, SaucerSwap confirmed that it was not affected by the vulnerability and asked users not to withdraw liquidity from the platform.
However, Pangolin CEO Justin Trollip said that in addition to HeliSwap’s $2,000, the decentralized exchange lost $20,000. A few hours later, he received a message that another 100k had been stolen. Attackers were unable to move funds out of Hedera because they no longer had access to the suspended Hashport tokens. Their plans to exit Ethereum have also been compromised due to the collective efforts of the team. However, the attackers then started trying to transfer their funds to ChangeNow.io and Godex.io. According to Trollip, a team member has reportedly contacted the centralized cryptocurrency exchange to cease activity and authorities have been alerted.
Following the incident, the total value locked (TVL) is rapidly declining. According to data compiled by DefiLlama, Hedera’s TVL fell to $24.59 million, down more than 16% in the past 24 hours. Hedera’s native token, HBAR, also suffered losses of more than 7% and is currently trading at $0.057.
