Rob Behnke
Invalid date
In June 2024, Holograph, an NFT protocol based on Omnichain, suffered a $14.4 million hack. The attacker — believed to be a former developer on the project — exploited an infinite mint vulnerability in the protocol’s smart contracts to mint 1 billion HLG tokens, which they then dumped for a profit.
The Holograph hack was perpetuated by a former contractor of the protocol. This was initially theorized based on the fact that the attacker’s address was approved to call the project’s mint function and later confirmed by the Holograph team.
The attacker deployed a malicious smart contract on Mantle that called the protocol’s mint function. Since the attacker’s address was trusted by the contract, they were able to bypass the access controls on the mint function and perform a successful mint. The rogue developer performed nine minting transactions to create a total of 1 billion HLG tokens.
After minting 1 billion new HLG tokens, the attacker bridged them to the Ethereum network, where they began dumping them. While approximately 200 million of the minted tokens were frozen by exchanges, the attacker managed to dump some of them. As a result of the inflated supply, the value of the HLG tokens plummeted by about 80% within the first nine hours of the attack.
The Holograph hack underscores the importance of proper access control and vetting members of the development team. In this case, a rogue developer took advantage of the fact that an address under their control was one of the ones approved to call the project’s mint function. With this privileged access, they were able to dramatically increase the supply of HLG tokens in circulation to their benefit and the detriment of the project’s users.
When implementing privileged functionality, such as mint and burn functions, in smart contracts, decentralizing control is a best practice that can help to protect against malicious insiders like the Holograph hacker. If a trusted, privileged account is controlled by a multi-sig wallet, then multiple holders of private keys would need to collaborate and collude to exploit their privileged access.
When designing and deploying smart contracts, an audit of a project’s smart contract code is vitally important but not enough. An organization also needs security programs and controls in place to manage the risks beyond the code. For help in achieving holistic on-chain security, get in touch with Halborn.