DeFi platform Sentiment suffers $1 million attack on Arbitrum network
Quick Take
- An attacker exploited a reentrancy bug via a flash loan to drain nearly $1 million from Arbitrum-based DeFi project Sentiment.
- The Sentiment team acknowledged the attack and temporarily suspended its smart contracts to prevent further deposits.
We'd love your feedback.
Sentiment, a DeFi platform built on the Arbitrum Layer 2 network, suffered a flash loan-enabled attack that led to a loss of nearly $1 million. Sentiment is a lending protocol that allows users to borrow assets using liquidity pool tokens from Balancer.
On Tuesday night, an attacker exploited the platform by obtaining a flash loan to borrow large amounts of assets such as wrapped bitcoin (WBTC) and wrapped ETH (WETH), which were then used as collateral to inflate asset prices on Sentiment's lending pools.
Flash loans are large and cheap loans taken out on the basis that the borrowed sum gets returned within the same transaction, a tactic that is made possible with smart contracts.
As the attacker manipulated lending pools, the combined balances grew. A flaw in Sentiment was that it incorrectly calculated the total asset value based on the tampered exchange rates. The attacker was then able to take advantage of a reentrancy bug in the underlying smart contract logic to drain funds, Lei Wu, chief technical officer at security firm BlockSec, explained.
By continuously invoking the withdraw function, the attacker drained roughly $1 million in ether from Sentiment before the platform's contract balance could be accurately updated. The stolen assets, some 517.5 ETH ($990,000), were subsequently transferred to the Ethereum mainnet and remain in the attacker's address.
The Sentiment team acknowledged the attack and temporarily suspended its smart contracts to prevent further deposits. Withdrawals, however, remain active. The team has implemented a patch to address the vulnerability and said it was focused on recovering user funds as its primary objective.
A pop-up on Sentiment says that the team had insurance coverage through DeFi insurance provider Sherlock. The team has yet to confirm if the lost funds will be reimbursed as per its insurance agreement.
Update: Following the incident, the Sentiment said it entered into negotiations with the exploiter, and as a result, 90% of the stolen funds have been returned to the project, as agreed upon by both parties.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
