In January 2023, LendHub, a cross-chain DeFi lending platform, was the victim of a hack.  The attacker stole approximately $6 million by exploiting the protocol’s smart contracts.

Inside the Attack

The LendHub hack was made possible by a failure to properly remove a deprecated token from the market.  During an update, LendHub replaced the existing IBSV one with a new version that had its own Comptroller contracts.  However, the update failed to remove the old token, which caused them both to be active with the same price in the market.

This issue allowed the attacker to interact with both token contracts separately while exploiting the discrepancies between the two.  The attacker took advantage of the mint and redeem functionality in the old market and took out loans in the new market.  These activities caused discrepancies in how the two markets calculated the liabilities, allowing the attacker to drain approximately $6 million in value from the new token.

Lessons Learned From the Attack

The LendHub hack demonstrates the importance of a clear, comprehensive process for updating smart contracts on the blockchain.  While the relevant smart contracts are unverified — making an in-depth analysis difficult —  the attacker did not need to exploit smart contract vulnerabilities to carry out this attack.  The attack was only possible because two competing versions of the same token were available on the market.

Explained: The LendHub Hack (January 2023)
Rob Behnke
01.19.2023