SharkTeam: Analysis of the Hedgey Finance Attack Incident
TechFlow Selected TechFlow Selected
SharkTeam: Analysis of the Hedgey Finance Attack Incident
The root cause of this incident is a token approval vulnerability in the project's smart contract implementation logic.
Navigating Web3 tides with focused insightsAuthor: SharkTeam
On April 19, 2024, Hedgey Finance suffered multiple attack transactions, resulting in losses exceeding $2 million.
SharkTeam conducted an immediate technical analysis of the incident and summarized security prevention measures, hoping that future projects can learn from this case to jointly build a secure defense for the blockchain industry.
1. Attack Transaction Analysis
Hedgey Finance was attacked by multiple attackers who exploited a token approval vulnerability to steal large amounts of tokens from the ClaimCampaigns contract.
Taking the transaction with the largest amount involved as an example, approximately $1.3 million was stolen:
Attack transaction: 0x2606d459a50ca4920722a111745c2eeced1d8a01ff25ee762e22d5d4b1595739
Attacker: 0xded2b1a426e1b7d415a40bcad44e98f47181dda2
Attack contract: 0xc793113f1548b97e37c409f39244ee44241bf2b3
Target contract: 0xbc452fdc8f851d7c5b72e1fe74dfb63bb793d511 (ClaimCampaigns)
This transaction directly transferred 1,303,910.12 USDC from the ClaimCampaigns contract. The transaction details are as follows:
The actual attack transaction is
0xa17fdb804728f226fcd10e78eae5247abd984e0f03301312315b89cae25aa517 (abbreviated as 0xa17f)
The attack process is as follows:
1. Flash loan 1.305M USDC from Balancer.
2. Call the createLockedCampaign function in the ClaimCampaigns contract. In this function, the attacker's contract deposits 1.305M USDC into the ClaimCampaigns contract, after which the ClaimCampaigns contract approves the 1.305M USDC for use by the attacker's contract.
3. Call the cancelCampaign function in the ClaimCampaigns contract. In this function, the attacker's contract withdraws the deposited 1.305M USDC, but the approval granted to the attacker's contract in the createLockedCampaign function remains active.
4. The attacker's contract repays the Balancer flash loan.
In this transaction, after the attacker's contract withdrew the 1.305M USDC stored in the ClaimCampaigns contract, the approval of 1.305M USDC granted by the ClaimCampaigns contract to the attacker's contract was not revoked. Therefore, the attacker's contract could directly call the transferFrom function of USDC to transfer another 1.305M USDC from the ClaimCampaigns contract. This is exactly what transaction 0xa17fdb804728f226fcd10e78eae5247abd984e0f03301312315b89cae25aa517 achieved.
Through these two transactions, the attacker stole 1.305M USDC from the ClaimCampaigns contract.
In addition to USDC, the attacker also used this vulnerability to steal a large amount of NOBL tokens from the ClaimCampaigns contract. Combined with USDC, the total value exceeded $2 million.
2. Vulnerability Analysis
The root cause of this incident is a token approval vulnerability in the project's smart contract logic, allowing attackers to repeatedly transfer tokens approved by the target contract to msg.sender.
The createLockedCampaign function of the ClaimCampaigns smart contract deposits the msg.sender's tokens into the target contract and approves these tokens for msg.sender.
The cancelCampaign function withdraws the deposited tokens but does not revoke the token approval.
Attackers exploit this vulnerability to directly call the transferFrom function of the token to transfer approved tokens again from the target contract.
3. Security Recommendations
Regarding this attack incident, we should follow these precautions during development:
(1) During project design and development, maintain completeness and rigor in logic, especially when handling asset transfers. Ensure synchronization between token transfers and approval amounts to avoid situations where tokens are transferred out but approvals remain active.
(2) Before project launch, smart contracts must be audited by a third-party professional auditing company.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
