Rob Behnke
April 24th, 2024
In April 2024, Hedgey Finance suffered a $44.7 million hack. The attackers used flashloans to steal value from the project’s smart contracts on both the Arbitrum ($42.6M) and Ethereum ($2.1M) platforms.
The root cause of the Hedgey Finance hack was a failure to properly implement input validation for one of the key functions in the project’s token locking contracts. Using a flashloan, the attacker was able to exploit this vulnerability to trick the contract into providing malicious approvals for token transfers.
The vulnerable function in the smart contract is called createLocked Campaign, which is designed to create a locked or vesting claims campaign. The function included validation for most of its parameters; however, it lacked one for the claimLockup parameter. This parameter played a crucial role in the function since it specified information such as the locker of a token and was used to index the newly created locking campaign within the protocol’s smart contract.
The attacker crafted a call to this campaign that exploited these vulnerabilities to inappropriately create a lockup campaign. Then, they canceled the campaign, which made the assets locked in the campaign available for withdrawal. In a follow-up transaction, the attacker took advantage of the created approvals to extract tokens from the vulnerable contract to their own contract.
By creating these fake approvals, the attacker was able to drain a total of $44.7 million tokens from the project’s Ethereum and Arbitrum smart contracts, including USDC, NOBL, MASA, and BONUS tokens. After acknowledging the hack, the Hedgey Finance team sent an on-chain message to the attacker requesting a return of the funds and treating the incident as a white hat hack.
The Hedgey Finance hack was an expensive lesson in the importance of proper input validation in smart contracts. While the exploited function in the vulnerable smart contract had validation in place for many of its parameters, the claimLockup parameter — which was critical to the function’s purpose — went unvalidated. Exploiting this enabled the attacker to drain an estimated $44.7 million in tokens by creating and exploiting fake approvals.
Business logic vulnerabilities like this one can be devastating to a protocol; however, they can also be identified and remediated via a full-scope audit before a smart contract is launched. For more information on protecting your project against attack, get in touch with Halborn.