The Total Damage Of Sentiment Exploitation Come To Nearly $1 Million
- On April 4, the Sentiment liquidity mechanism on the Arbitrum blockchain was attacked for over $1 million in different tokens.
- To carry out the theft, the exploiter seems to have exploited a re-entry vulnerability.
- Sentiment contacted the hacker and offered them 10% of the stolen monies as a reward.
Detailed investigation revealed that DeFi lending protocol Sentiment liquidity protocol on the Arbitrum blockchain was attacked on April 4 for almost $1 million in various tokens, including wrapped Bitcoin and Ether, and several different stablecoins.
The attacker seems to have stolen the tokens via a re-entrancy vulnerability, then switched them and bridged them to the Ethereum main chain.
According to CertiK, the fundamental reason is Balancer’s read-only reentry.
In order to determine the price, the price oracle employed depends on the balances of the assets in the pool and the total quantity of the LP tokens (B-33WETH-33WBTC-33USDC).
To influence the price, the exploiter used 606 WBTC, 10,000 WETH, and 18 million USDC to use the Balancer vault’s ‘joinPool’ function, increasing the overall supply of the LP coin. He then withdrew the funds by using ‘exitPool(),’ which sent 606.8 WBTC, 1,000 ETH, and 17.9 million USDC consecutively.
Among these transactions, moving ETH back will activate the exploiter contract’s fallback feature. Since the overall supply is reduced in the fallback function, but the recorded balances of WBTC, WETH, and USDC are not changed in the pool, the price is tilted, and the attacker may borrow numerous assets at the slanted price.
Sentiment is now examining the protocol’s stolen cash. The team has made efforts to determine the core cause of the breach and prevent the possibility of subsequent losses. The team has contacted law enforcement and has collaborated with third-party auditors and security organizations.
Sentiment sent a message to the hacker a few hours ago, promising to let them retain 10% of the stolen monies as a reward if they returned the remainder. The letter promised a $95,000 payment if the assets were returned before 8 a.m. UTC on April 6. If the prize is not returned, Sentiment will be distributed to individuals who provide information on the hacker.
DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
Join us to keep track of news: https://linktr.ee/coincu