Trading firm Hashflow faces ongoing exploit, with $600,000 lost: PeckShield

Quick Take

  • Trading firm Hashflow appears to be facing an ongoing exploit.
  • More than $600,000 in ether and arbitrum have been taken.

Trading firm Hashflow is facing an ongoing exploit that has taken $600,000 in ether and arbitrum.

The vulnerability appears to refer to the firm's bridge contract, according to PeckShield. Hashflow offers cross-chain swaps as part of its trading service.

PeckShield said the exploit related to contract approvals. Since the exploit started, it seems that Hashflow has moved to revoke approvals for multiple tokens.

The affected address is the Hashflow deployer address labelled on Etherscan. The exploit affects the contract on at least the Ethereum, Arbitrum, Binance Smart Chain, Polygon and Avalanche chains.

Possible white hat hacker

It appears that the person who carried out the exploit did so to prevent the funds from being stolen and may be a white hat hacker. They have made it possible for the funds to be claimed by their original owners, with the option to leave a 10% tip for their actions.

Hashflow said on Twitter that it's "addressing the current situation" and added that all users would be made whole. 

"The Hashflow DEX was in no way impacted and remains fully operational," the company said. "We will share a detailed post mortem once complete."

Updates with comment from Hashflow, tweet about possible white hat hacker.  

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.