Crypto trading platform Hashflow has assured affected users will be “made whole” following an exploit that saw at least $600,000 in digital assets removed from the platform.
On June 14, blockchain security firm Peckshield reported an ongoing issue with the Hashflow trading platform.
“It appears there is an approve-related issue,” the firm noted, reporting losses of around $600,000 in Aribtrum’s ARB token and Ether (ETH).
A couple of hours later, Hashflow alerted users that it was addressing the current situation related to contract approvals as flagged by Peckshield, adding:
“All users comprising the ~$600K affected will be made whole.”
The firm, which provides cross-chain swaps as part of its trading services, added that its decentralized exchange “was in no way impacted and remains fully operational.”
We’re addressing the current situation flagged by @peckshield. Please be assured that:
1. All users comprising the ~$600K affected will be made whole.
2. The Hashflow DEX was in no way impacted and remains fully operational.We will share a detailed post mortem once complete.
— hashflow (@hashflow) June 14, 2023
Peckshield suggested that the hacker that carried out the exploit may be a white hat hacker, as they provided a contract with a recovery function along with a second option for a donation.
Hashflow updated its status on June 15, providing recovery instructions for those affected by the exploit, which impacted Ethereum, Arbitrum, Avalanche, BNB Chain and Polygon.
Users were told they must “revoke approvals before recovering funds.”
There are two options for fund recovery, the first is for total funds and the second will donate 10% to the supposed white hat hacker that exploited the vulnerability but prevented further losses in doing so.
DeFi enthusiast YannickCrypto detailed the process, noting that the white hat had verified the contract but warned that users must revoke token allowances to depreciated contracts or they’ll get hacked again.
Hey @hashflow, it seems like you got exploited from 0xddb19a1bd22c53dac894ee4e2fbfdb0a06769216. https://t.co/oplaYWY4Bn
There are two withdraw functions, one with 10% and one without bribe!
Find out how you can withdraw your stolen funds in next tweet
— yannickcrypto.eth (@YannickCrypto) June 14, 2023
Hashflow’s native token, HFT, fell 7% in the 12 hours following the incident, dropping to $0.338 at the time of writing, according to CoinGecko. The token remains down 90% from its November 2022 all-time high of $3.61.
Related: DeFi-type projects received the highest number of attacks in 2022: Report
It is the second DeFi exploit this week, as lending platform Sturdy Finance lost around $800,000 worth of Ethereum on June 12. The vulnerability was related to price manipulation, according to Peckshield, which issued the alert.
Sturdy Finance offered a bounty of $100,000 to the exploiter for the return of the funds.
Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story