Decentralized finance (DeFi) protocol Tender.fi has been made whole thanks to the hacker who returned $1.6 million that were exploited from the platform earlier this week. The white hat hacker noticed a glitch in Tender.fi’s pricing oracle, which allowed them to borrow a significant amount against a modest deposit.
According to a post-mortem report published by Tender.fi earlier today, the DeFi lending protocol had upgraded its price feed to Chainlink’s price oracle on March 6, a day before the exploit. The new price feed derived the price of the GMX token from Chainlink, rather than a time-weighted average price (TWAP). The new code was reportedly audited by blockchain intelligence firm PeckShield.
However, the Chainlink price oracle had a glitch, due to which the hacker was able to deposit one GMX token worth nearly $70 at the time and borrow a whopping $1.6 million against that deposit. A decimal error in the Solidity contract caused the contract to treat the 1 GMX collateral as having more value on Tender.fi than all Bitcoin in existence.
The white hat left an on-chain message for the protocol after borrowing the huge sum which read, “It looks like your oracle was misconfigured. Contact me to sort this out.” The Tender.fi team reached out to the hacker over DeBank and negotiated repayment of the massive loan in exchange for a bounty of 62.15 ETH worth nearly $100,000 at the time.
Borrowing has been unpaused!— Tender.fi (@tender_fi) March 10, 2023
The DeFi lending protocol took to Twitter earlier today to inform its community they have resumed all borrowing services. Tender.fi suspended the borrowing feature in light of the exploit on March 7