Lendhub Hacked for $6 Million

January 12, 2023

Summary #

A hacker exploited a vulnerability in the LendHub protocol to steal approximately $6 million in digital assets. The vulnerability was caused by the existence of two IBSV tokens on the platform, one of which had been deprecated but not removed. The attacker was able to mint and redeem tokens in the old market while borrowing against them in the new market, ultimately making off with the majority of the assets on the platform.

Attackers #

The attackers behind the Lendhub hack remain unidentified.

Lendhub Hacker wallet: 0x9d0163e76bbcf776001e639d65f573949a53ab03

Losses #

Lendhub lost approximately $6 million.

Timeline #

January 11, 2023, 10:11:35 PM +UTC: The exploiter received 100 ETH from Tornado.cash.
January 11, 2023, 10:38:59 PM +UTC: The exploiter swapped ETH for Heco Token (HT) and USDT and transferred tokens cross-chain to the HECO chain.
January 12, 2023: The exploiter then interacted with the attack contracts multiple times, which drained assets from the new Lendhub HECO market.
January 13, 2023: Lendhub announced the hack on their platform and the extent of the losses, with around $6 million stolen
January 13, 2023: The attacker has made 11 transactions totaling 1,100 ETH to Tornado.cash
February 26, 2023: The attacker has deposited another 2,415.4 ETH into Tornado.cash

Security Failure Causes #

Dev Team Negligence: The main reason was overlooked deprecated token from the market. This made it possible to mint and redeem tokens on the old market, while simultaneously borrowing money against them on the new market

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam