This morning Bent Finance platform tweeted that there is a possible exploit. They notified people that they had disabled the claims, people will not be able to claim rewards at the moment. They are investigating the curve LP pools. They suggested people if people want to be safe, they can withdraw it now. They will update people as soon as they know more.
As per the transactions here, the platform was exploited eight days ago, and the exploiter withdrew 260,000 cvxCRV. Further, the most recent exploit was about 04:50 UTC on December 21, 2021. This latter has a transaction out of about 250,000 crxCRV as well. Adding the two sums to around $2.17M.
Recently, the latter 250,000 were transferred to this account (0x9e966a54082427d7ac56aeaee4baae7d11a6e468) and shows transactions of around half a million stolen cvxcrv. Further, we believe that the exploiter transferred the stolen funds to ETH and then transferred the ETH to a smart contract (A classic one).
And like all classic exploits, the hacker then used a smart contract to interact with tornado cash.
They have disabled the claim rewards and no deposit/withdrawal. This was to ensure the pool rewards could not be withdrawn and additional BENT minted. The Curve LP pools do not control deposit or withdrawal functions as they do not touch user deposits, so they cannot disable those. The original exploiter can no longer exploit the bent crvcvx pool. But Bent Finance still advises people to withdraw from other bent curve pools.
They again informed people that there is an active exploit on the bent curve pools. They recommend people withdraw from the protocol until further notice. They said they were not going anywhere and would recover from this one way or another.
They informed people in their telegram channel that the exploit happened eight days ago but has not been repeated. The wallet was identified today via bent being listed on debunk; can sort wallets via pending rewards, and that made the wallet easily identified. They have stopped rewards claimable as soon as the wallet was identified,