Lendhub Hacked for $6 Million

Summary

A hacker exploited a vulnerability in the LendHub protocol to steal approximately $6 million in digital assets. The vulnerability was caused by the existence of two IBSV tokens on the platform, one of which had been deprecated but not removed. The attacker was able to mint and redeem tokens in the old market while borrowing against them in the new market, ultimately making off with the majority of the assets on the platform.

Attackers

The attackers behind the Lendhub hack remain unidentified.

• Lendhub Hacker wallet: 0x9d0163e76bbcf776001e639d65f573949a53ab03

Losses

Lendhub lost approximately $6 million.

Timeline

• January 11, 2023, 10:11:35 PM +UTC: The exploiter received 100 ETH from Tornado.cash.
• January 11, 2023, 10:38:59 PM +UTC: The exploiter swapped ETH for Heco Token (HT) and USDT and transferred tokens cross-chain to the HECO chain.
• January 12, 2023: The exploiter then interacted with the attack contracts multiple times, which drained assets from the new Lendhub HECO market.
• January 13, 2023: Lendhub announced the hack on their platform and the extent of the losses, with around $6 million stolen
• January 13, 2023: The attacker has made 11 transactions totaling 1,100 ETH to Tornado.cash
• February 26, 2023: The attacker has deposited another 2,415.4 ETH into Tornado.cash

Security Failure Causes

• Dev Team Negligence: The main reason was overlooked deprecated token from the market. This made it possible to mint and redeem tokens on the old market, while simultaneously borrowing money against them on the new market