Hedgey Finance loses $44.5 million in flash loan exploit
The protocol said that it is now actively working with auditors and its team to understand the attack and prevent any further damage.
Share this article
Hedgey Finance, a token infrastructure platform, has fallen victim to a flash loan attack, resulting in the loss of approximately $44.5 million in digital assets across Ethereum’s layer-2 network Arbitrum and the Binance Smart Chain (BSC). The attack occurred within a two-hour window on April 19.
🚨UPDATE🚨@hedgeyfinance has experienced security breach with their Hedgey Token Claim Contract!
Total loss is around $1.9M. Attacker is funded by @ChangeNOW_io.
All stolen funds are swapped to $DAI and transferred to an EOA at https://t.co/MT78LFSQ7G
We urge all users to… https://t.co/hwuBjTiebp
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) April 19, 2024
According to blockchain security firm Cyvers, the attacker exploited Hedgey’s “createLockedCampaign” function using flash-loaned funds to drain the platform’s assets. The stolen funds were initially swapped to the DAI stablecoin and transferred to an external address.
The attacker then repeated the exploit on the Arbitrum chain, stealing an additional $42.8 million after receiving funding on the ETH Chain via FixedFloat.
Following the attack, the suspicious address became the primary holder of the BONUS token, the native digital asset of BonusBlock, a project aimed at acquiring and onboarding high-quality users to the Web3 ecosystem. The token’s value has since dropped by around 10% to $0.5084, according to on-chain data. The attacker has already begun moving some of the stolen assets, transferring over 200,000 BONUS tokens, worth approximately $110,000, to the Bybit exchange.
Hedgey Finance has announced an ongoing investigation into the attack and advised users with active claims to cancel them using the “End Token Claim” feature on the platform’s website. The firm is working with auditors to understand the attack and prevent any further exploitation.
Cyvers emphasized the importance of open collaboration between dApps and security firms to mitigate risks and rebuild trust in the crypto ecosystem. The security firm also noted that despite their efforts to reach out to Hedgey Finance’s team, they were unsuccessful in establishing contact prior to the attack.
In the wake of the incident, several fraudulent accounts impersonating the Hedgey protocol have emerged on social media platform X, attempting to lure users into phishing scams by prompting them to request refunds or retract their smart contract approvals through suspicious links.
Share this article