Self-proclaimed 'safest' DeFi lender loses $6 million in hack

Quick Take

  • LendHub says hackers stole $6 million from its protocol on Jan. 12
  • The hacker has reportedly routed $1.5 million worth of ether to Tornado Cash.

DeFi lender LendHub lost $6 million of crypto assets in an attack, the team reported on Friday.

LendHub stated that the attack occurred on Jan. 12. The DeFi lender added that it has contacted blockchain security firms and crypto exchanges to assist with tracking the stolen crypto. 

On-chain data shows the hacker's wallet address withdrew 100 ether ($134,000) from sanctioned crypto mixer Tornado Cash. The attacker then bridged these funds to the LendHub platform to launch an attack on the protocol by targeting a critical vulnerability that was yet to be solved by the team.

This vulnerability involved the presence of two IBSV ctokens on the platform; one of which had been replaced by the other, blockchain security firm SlowMist told The Block. LendHub had failed to delete the old one from its protocol. This created a vulnerability due to the discrepancy in asset pricing for both tokens on the lending platform.

"Exploiting this vulnerability, the attackers were able to manipulate the minting and redeeming process in the old market while borrowing in the new market, ultimately stealing significant protocol funds from the new market," said the SlowMist team.

The attacker soon began bridging the stolen funds from the Heco network — the network where LendHub operates — to other chains like Ethereum and Optimism. These cross-chain transfers were done using several means including Transit Swap and Multichain. The hacker's wallet still holds about $2.6 million worth of USDT and DAI stablecoins as of the time of reporting.

LendHub touts itself as the "safest decentralized lending platform" for cross-chain lending. 

The DeFi lender has stated that it will conduct a full investigation into the incident.

Update: This article has been updated to include comments from blockchain security firm SlowMist detailing how the attack occurred.

© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.