bsc.news
Hacker Took Advantage of Re-Entrance Vulnerability
Sentiment liquidity protocol on the Arbitrum blockchain was hacked on April 4 for almost $1 million in various tokens, including wrapped Bitcoin and Ether.
The total loss is ~$1M. Here comes the flow of stolen funds. https://t.co/j95JNdBzlq pic.twitter.com/x4XjmugkTR
— PeckShieldAlert (@PeckShieldAlert) April 5, 2023
The Sentiment team members confirmed the attack, affirming about unusual borrowing activity identified as a malicious exploit. In order to deal with the situation, the team paused the main contract and disabled all functionality except withdrawals.
1/4
— Sentiment (@sentimentxyz) April 5, 2023
A status update on the current situation: At approximately 06:00:00 PM +UTC The Sentiment team became aware of abnormal borrowing activity which has now been declared as a malicious exploit.
Possible Cause for the Attack
The attacker apparently stole the tokens via a re-entrance vulnerability and then switched them to the Ethereum chain. As CertiK points out, the fundamental reason is Balancer's read-only reentry.
#CertiKSkynetAlert 🚨@sentimentxyz has been exploited for ~969k due to a “ready-only reentrancy” attack, where the attacker borrowed assets with a tilted price in the fallback function.
— CertiK Alert (@CertiKAlert) April 4, 2023
Thread 👇 pic.twitter.com/BWldtsNSxA
The price oracle used to determine the price is based on the asset balances in the pool and the total amount of LP tokens. As reported, by using the Balancer vault's 'joinPool' function, the exploiter increased the overall supply of the LP coin by 606 WBTC, 10,000 WETH, and 18 million USDC. The funds were then withdrawn using exitPool(), which sent 606.8 WBTC, 1,000 ETH, and 17.9 million USDC sequentially.
A fallback function reduces demand, but the pool balances of WBTC, WETH, and USDC remain the same, so the price is tilted, allowing the attacker to borrow many assets at the slanted price.
Sentiment is now examining the protocol’s stolen cash. In addition, the team is working with law enforcement to identify the hacker and recover the funds.
In collaboration with third-party security auditors, the Sentiment team released a fix resolving the vulnerability, allowing users to repay debts and unwind their positions.
Sentiment also sent a message to the hacker, offering to let them keep 10% of the stolen funds as a bounty if they returned the rest. In the letter, the company promised a $95,000 payment if the assets were returned before 8 a.m. UTC on April 6.
In the event the prize is not returned, Sentiment will distribute it to those who provide information about the hacker. The liquidity protocol on Arbitrum was audited by two crypto security firms before.
Sentiment has a total locked volume (TVL) of $5.8 million, down from $10.76 million on April 4.
What is Sentiment:
Sentiment is a liquidity protocol that enables permissionless undercollateralized borrowing on chain. This protocol aims to address capital inefficiencies in DeFi by offering a primitive-based solution for permissionless, undercollaterated on-chain credit. By implementing onchain hypothecation, Sentiment mitigates the challenge of widespread counterparty risk.
Learn more about Sentiment:
Website | Twitter | Discord