Token infrastructure platform Hedgey Finance lost approximately $44.5 million of digital assets within two hours across Ethereum’s layer-2 network Arbitrum and Binance Smart Chain.
In an April 19 statement shared with CryptoSlate, blockchain security firm Cyvers explained that a malicious attacker exploited Hedgey’s “createLockedCampaign” function using flash-loaned funds to siphon off the funds.
A breakdown of the theft showed that the attacker initially stole $1.9 million, which was immediately swapped to the DAI stablecoin and transferred to an external address.
Subsequently, the attacker later executed the same vulnerability on the Arbitrum chain to steal $42.8 million after receiving funding on the ETH Chain via FixedFloat.
Cyvers stated that “despite detection by Cyvers, attempts to reach Hedgey Finance’s team were unsuccessful” and suggested more open collaboration between dApps and security firms is important to “mitigate risks and rebuild trust.”
Following the attack, the suspicious address involved emerged as the primary holder of the BONUS token. BONUS is the native digital asset of BonusBlock, a project focused on acquiring and onboarding high-quality users to the Web3 ecosystem.
According to CoinMarketCap data, the digital asset’s value has dropped by around 10% to $0.5084 because of the incident.
Notably, the attacker has already begun shifting some stolen assets, moving over 200,000 BONUS tokens valued at $110,000 to the Bybit exchange.
Hedgey Finance announced an ongoing investigation into the attack in response to the exploit. The firm promptly advised users with active claims to cancel them using the “End Token Claim” feature on the platform’s website. It added:
“We are actively working with our auditors and team to understand the attack and stop any ongoing attack. We will share more information as we learn more.”
Meanwhile, numerous fraudulent accounts masquerading as the Hedgey protocol have surfaced on social media platform X. They are urging the hacked platform users to request refunds or retract their smart contract approvals through suspicious phishing links.