Over $500 million in cryptocurrencies appear to have been lost as a result of a security breach at the lending protocol Sentiment. The Sentiment team acknowledged the suspicious borrowing behavior as a malicious exploit on Twitter. A 536,738.41001 USD Coin (USDC) transfer from the Synapse Bridge is allegedly the result of the exploit, and it may be linked to many Arbitrum transactions that depleted Sentiment’s cash.
But according to Arbiscan, the wallet behind the attack goes by the name « Sentimentxyz Exploiter. » The Sentiment team has also stopped the main contract and turned off all features except withdrawals in order to address the problem.
A re-entry vulnerability allowed the attacker to steal the tokens, who then moved them to the Ethereum Chain. According to a Twitter user going by the handle Officer’s Notes, who based his analysis on the work of another person going by the handle FrankResearcher, this is the case.
How the Attack on Sentiment Protocol Played Out
Investigations suggest that the attacker may have taken the deployer key for the loan protocol. The attacker started by deploying a contract to the Arbitrum network at the specified address: 0xa4d063b9468b93aee2a87ec7072c3dabd5ee5968.
One minute later, they used the contract’s « run » function. The function call did not succeed, however, since it returned « Fail with error ‘BAL#420 » in its answer. The attacker then successfully used the contract’s « self-destruct » feature. This removed all of the contract’s code from the blockchain.
However, after the assailant destroyed this contract, the person was re-deployed at the address 0x9f626F5941FAfe0A5b839907d77fbBD5d0deA9D0. The attacker then re-called the « run » function as a result. This time, it succeeded, triggering a number of transactions under the contract. The administrator for a BeaconProxy contract at address 0xdf346f8d160424c79cb8e8b49b13dd0ca61c3b8c, however, was altered in one of the several transactions carried out.
This implies that Sentiment’s lending protocol’s deployer key that was taken may have been the cause of the hack. The fraudulent smart contract also let the attacker to transfer several tokens when the contract was improved, resulting in the loss of Sentiment’s money. It’s claimed that the stolen money transferred to the Ethereum blockchain through the Synapse bridge. The assailant carried out the transactions and then deleted the contract code once more.
Initiatives Made by the Platform to Find the Hacker
Sentiment, nevertheless, is now collaborating with police enforcement to track out the hacker and recover the monies that were taken. The team fixed the issue and provided a patch in cooperation with outside security auditors, allowing users to pay back debts and exit positions.
Sentiment has contacted the hacker with a message offering them an agreement. According to the protocol, the attacker is allowed to keep 10% of the money they’ve taken as payment for returning the rest. According to the letter, the platform guaranteed a payout of $95,000 if the assets were returned before April 6. However, Sentiment has stated that it will give the prize to those who will reveal the attacker’s identity rather than returning the prize. Sentiment, meanwhile, only holds $5.8 million of its $10.76 million total locked volume as of April 4.
Sentiment is a liquidity protocol that further offers permissionless undercollateralized lending on-chain. It gives a remedy for undercollateralized on-chain lending in an effort to alleviate capital inefficiencies in DeFi. By integrating on-chain hypothecation, the platform, in particular, reduces the problem of counterparty risk.
