Sentiment Breached To The Tune Of $500 Million

Updated: 05 April 2023

Disclosure

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Join Our Telegram channel to stay up to date on breaking news coverage

The lending protocol, Sentiment, seems to fall victim to a security attack, leading to the loss of over $500 million in cryptocurrencies. The Sentiment team took to Twitter, confirming the unusual borrowing activity identified as a malicious exploit. The exploit is said to have transferred 536,738.41001 USD Coin (USDC) from the Synapse Bridge, which can be traced back to several Arbitrum transactions that drained funds from Sentiment.

1/4

A status update on the current situation: At approximately 06:00:00 PM +UTC The Sentiment team became aware of abnormal borrowing activity which has now been declared as a malicious exploit.

— Sentiment (@sentimentxyz) April 5, 2023

However, according to Arbiscan, the wallet responsible for the attack is known as” Sentimentxyz Exploiter.” Further, the Sentiment team has paused the main contract and disabled all functionality except withdrawals to deal with the issue.

The attacker stole the tokens through a re-entrance vulnerability and later transferred them to the Ethereum Chain. This is according to a Twitter user referred to as Officer’s Notes, who relied on another Twitter User identified as FrankResearcher, to arrive at this conclusion.

How the Attack Went Down on Sentiment Protocol

Some investigations reveal that the attacker might have stolen the lending protocol’s deployer key. The attacker commenced by deploying a contract to the Arbitrum network at the stated address: 0xa4d063b9468b93aee2a87ec7072c3dabd5ee5968.

They called the “run” function on the contract a minute later. However, the function call did not go through as it provided a “Fail with error ‘BAL#420” response. Further, the attacker went on and called the “self-destruct” function on the contract, which succeeded. This wiped away all of the contract’s code from the blockchain.

Nonetheless, after the attacker destroyed this contract, the individual redeployed at the following address: 0x9f626F5941FAfe0A5b839907d77fbBD5d0deA9D0. This led to the attacker calling for the “run” function again. This time, it went through, causing the contract to carry out several transactions. However, in one of the several transactions conducted, it changed admin for a BeaconProxy contract located at the address:

0xdf346f8d160424c79cb8e8b49b13dd0ca61c3b8c

This suggests the attack may have occurred due to the stolen deployer key of Sentiment’s lending protocol. Additionally, after the contract was upgraded, the malicious smart contract approved the attacker to transfer various tokens, which led to the loss of funds from Sentiment. The stolen funds are said to have been moved via the Synapse bridge to the Ethereum blockchain. After completing the transactions, the attacker once again destroyed the contract code.

The Platform’s Efforts to Identify the Hacker

However, Sentiment is now working with law enforcement to identify the hacker and restore the stolen funds. In collaboration with third-party security auditors, the team released a fix resolving the vulnerability, enabling the users to repay debts and unwind their positions.

4/4

The Sentiment team continues to work closely with law enforcement and close contributors to identify the hacker and recover misappropriated user funds.

Recovery of user funds will continue to be our main objective moving forward.

— Sentiment (@sentimentxyz) April 5, 2023

Sentiment has sent a notice to the hacker, offering them a deal. The protocol has told the attacker to keep 10% of the stolen funds as a bounty if they return the remaining funds. As per the letter, the platform promised a $95,000 payment if the assets were returned by April 6. However, the prize will not be returned, but, Sentiment has noted that it will distribute it to those who will provide the information regarding the attacker. Nonetheless, Sentiment has a total locked volume of $5.8 million from $10.76 million as on April 4.

Further, Sentiment is a liquidity protocol that provides permissionless undercollateralized lending on-chain. It aims to address capital inefficiencies in DeFi by offering a solution for undercollateralized on-chain credit. Notably, the platform mitigates the counterparty risk challenge by implementing on-chain hypothecation.