DeFi protocol Sentiment hacked for over $500K

Key takeaways:

• Sentiment, an uncollateralized loan protocol, has been hacked on for more than $500,000 in cryptocurrency.

• The assault on the DeFi lending platform has been classified as a reentry attack. 

• The attacker appears to have stolen the tokens using a re-entry vulnerability and then transferred them to the Ethereum network. 

 A malicious exploit affected Sentiment, a decentralised finance (DeFi) tool that provides lending and borrowing services on the Arbitrum layer-2 network, causing a loss of almost $1 million.

The team suspended the Sentiment main contract and limited capability to only processing withdrawals, according to the Twitter thread, in order to prevent the loss of additional funds. 

Data from the Ethereum network reveals a transaction that moved 536,738.410031 USD Coins from the Synapse Bridge. This transaction connects to a string of Arbitrum transactions that drained Sentiment of its coins. 

The team has worked with outside security auditors to execute a user-pleasing fix for the issue. Users can pay off debts and exit jobs as a result. To find the perpetrator and get the money back, the team is also collaborating with law enforcement and other parties.

1/4

A status update on the current situation: At approximately 06:00:00 PM +UTC The Sentiment team became aware of abnormal borrowing activity which has now been declared as a malicious exploit.

— Sentiment (@sentimentxyz) April 5, 2023

According to developer Pascal Marco Caversaccio, the event was probably caused by a reentrancy attack. In this line of attack, an exposed Sentiment contract was frequently called by a third-party contract before its status could be revised.

Reentrancy strikes again! pic.twitter.com/ULWi1367yQ

— sudo rm -rf –no-preserve-root / (@pcaversaccio) April 4, 2023

The reentrancy attack occurs when a malicious party uses a smart contract flaw to frequently withdraw money that was sent to an unapproved contract.

Another protocol fell prey to a similar reentrancy attack last month.  A loss of almost $3.65 million was caused by an assault on dForce, an Integrated Platform for DeFi Protocols. The hack was directed at Curve Finance, an automatic market maker (AMM) platform that utilises the Optimism and Arbitrum blockchains.

Sentiment also contacted the hacker, offering to give them a bounty of 10% of the money they had stolen in exchange for returning the remainder. If the assets were returned by April 6 at 8 a.m. UTC, the company agreed to pay $95,000.  

#CertiKSkynetAlert ????

An hour ago a message was sent to the @sentimentxyz hacker.

The message outlined a reward of $95K if the assets are returned by 8 AM UTC on April 6.

Conversely if not returned, the reward will be given to those who provide info on the hacker.

Stay safe! pic.twitter.com/fb2xTqCNJ1

— CertiK Alert (@CertiKAlert) April 5, 2023

PeckShield, the platform’s security advisor, documented the exploit’s analysis on its blog, outlining how the attacker manipulated pool balances and overcollateralized Sentiment loans by taking advantage of a view reentrancy bug in Balancer.

The root cause is known to be the read-only reentrancy of Balancer: https://t.co/ynuWr6PZMR. Here is the related tx: https://t.co/iqvS48njau https://t.co/Mxkc1xoJn5 pic.twitter.com/IPzmtLKrBx

— PeckShield Inc. (@peckshield) April 5, 2023

According to Peckshield, the attacker made off with about $1 million worth of cryptocurrency after taking significant amounts of tokens from Sentiment using flash loans.