BlockSec, a smart contract audit firm, prevented a hacker from stealing 2,900 ether ($5 million) from the NFT lending project Paraspace amid a major vulnerability, it said.
BlockSec detected a hack in real time and rescued the funds, it said.
“We monitored and observed the failed transaction. Meanwhile, we re-deployed the [hacker's] contract with some upgrades to do the rescue,” Matthew Jiang, director of security services at BlockSec told The Block.
Paraspace said in a Twitter post it had paused its lending protocol and was investigating the issue. It added that NFT assets deposited to the platform were safe.
BlockSec thwarts theft using its real-time monitoring system
The vulnerability in Paraspace’s lending contracts could have allowed the attacker to borrow crypto tokens with less NFT collateral than needed, which may have then allowed the hacker to drain its liquidity. “On Paraspace, the loan collateral's balance could be manipulated by the attacker,” Jiang further noted.
BlockSec added that it was able to thwart the hack using an internal system that detects hacking incidents in real time. "We have an internal system that is able to monitor attack transactions and try to prevent them automatically," said Lei Wu, co-founder and CTO of BlockSec.
After the incident, the hacker left an on-chain message requesting BlockSec return gas fees of about 0.7 ETH the person spent in trying to hack Paraspace. "I couldn't make it work because of a stupid gas estimation error. Since I lost a lot of money trying to make it work, it would be cool to get at least some of them back... best of luck," the hacker wrote.
This was not the first time BlockSec has leveraged its internal system to save funds for projects. BlockSec was able to rescue $3.8 million from the exploiters of Saddle Finance in April 2022. In February it recovered $2.4 million from Platypus Finance hackers.
Paraspace did not immediately respond to a request for comment.
© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.