Key takeaways:
- Bent Finances apologised to individuals who were impacted and thanked them for their patience.
- Bent Finances has made amends for the monies lost as a result of the scam.
BENT became live on debank a few days ago, allowing community members to check the quantity of “deposits” of various tokens. This revealed one wallet with a CVXCRV balance of over $500 million and a MIM of roughly the same. The contract was “fooled” by this balance, which basically allowed them to withdraw other people’s tokens until the pool was empty.
It was odd how it happened, especially because we discovered that the exploit had been deployed 20 days before and that they were not actively withdrawing.
They contacted the two greatest white hat hackers they could locate, one of them was Samczsun, and the other was a deep anon who was only known through a referral. They sat down with us in a war room and determined that this was, in fact, an inside job.
The contracts were initially distributed as “validated,” and they were the ones that were audited. “Someone” has sneaked an unconfirmed contract update in before updating to the next verified contract while burning the proxy and strengthening security (kek). This upgrade hardcoded a half-billion dollars in deposits they didn’t possess, allowing them to drain the pools whenever they wanted in the future.
The BENT Team is made up of a number of full-time individuals, including swisshed, ape, santonicle, and conrad, as well as a few others that serve in support roles. In addition, the CTO has been using a “dev” on other projects for a while. This developer had been a supporter of him for a while. Sir dev was given the deployer’s secret keys in order to perform the upgrades, and it was during this moment that dev slipped in the vulnerability.
The exploiter agreed to restore the cash to the multisig at 0xaBb8B277F49de499b902A1E09A2aCA727595b544 after a few days of “interesting things,” but we can claim that the exploiter agreed to return the funds to the multisig at 0xaBb8B277F49de499b902A1E09A2aCA727595b544.
We were a touch short as he dumped the curve at the bottom and it has been pushed since, and sent us ETH and DAI, but we figured it out.
To date, the community has contributed an additional 200,000 cvxcrv ($1M) to assist close the deficit.
You can also see what they did to patch access so that this doesn’t happen again.
The reimbursement of lost monies for 512,696.06482288612 cvxcrv-f, which was paid in full, may be found here:
The following is a link to the hack that occurred:
