...and is definitely not an enormous grift that's pouring lighter fluid on our already smoldering planet.
Created by Molly White. Subscribe to her newsletter for weekly recaps.
The majority of assets were stolen from Hedgey on the Arbitrum layer-2 network, although around $2.1 million of them were stolen from the version deployed on the Ethereum mainnet.
Hedgey Finance confirmed the exploit, and sent an optimistic and congratulatory message on-chain: "Well done for finding it! We're assuming you executed this exploit as a white hat, so we'd like to get in touch with you to discuss next steps." No on-chain response thus far.
Blockchain security firms detected the attack quickly, and the project team paused the project's smart contract within fifteen minutes, but not before the millions were stolen. They contacted the attacker via an on-chain message to offer a 10% "bounty", later threatening that they had a "strong lead that we think will soon reveal the identity of the exploiter".
Goledo Finance contacted the attacker to offer a 10% "bounty" for the return of the remaining assets. In a message on January 29, the attacker wrote: "I hacked Goledo and want to negotiate".
Platypus was quickly able to recover $575,000 from this latest hacker, thanks to a flaw in their attack. Later, they recovered all but $167,400 of the stolen funds after coming to an agreement with the attacker that they would not pursue legal action.
The attack was a "classic price manipulation" exploit, according to the Ironblocks security firm. The attacker was able to steal 1,152 ETH ($2.13 million) from the protocol. They then tumbled the stolen funds through Tornado Cash.
The project was audited by SolidProof and InterFi. The project announced that they intended to relaunch the token, and asked the exploiter to consider returning 80% of the funds, keeping 20% as a "bug bounty".
This is the second apparent hack of Platypus Finance, following an $8.5 million hack only ten days after it launched in February 2023. The first hack also involved flash loans.
The Arcadia Finance team paused related smart contracts to prevent further attacks, and began working with various crypto security projects to investigate the attack. They also sent on-chain messages to the attacker, threatening law enforcement action and suggesting they "return 90% of the funds... and walk away".
Only eleven days later, on June 27, the team boasted that the project "has grown to over $1m TVL in 2 working days". An hour after that, they announced that they would be suspending the protocol and beginning an immediate investigation into an apparent theft. Themis boasts in its documentation that "security is the highest priority" of the project, and lists multiple audits from PeckShield.
An attacker was apparently able to exploit the project, draining around 220 Themis-wrapped ETH (nominally worth ~$417,000). Due to liquidity issues, they could only swap these for around 94 ETH (~$178,000) and almost $190,000 in stablecoins, for a total haul of around $368,000.
After the attack, Jimbos Protocol tweeted "We are aware of the exploit regarding our protocol and are actively in contact with law enforcement and security professionals. We will release further information when possible." They also sent an on-chain message to the exploiter, offering to stop all investigations if the hacker returns 90% of the stolen funds.
No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.
