Key takeaways:
- LendHub claims that on January 12, hackers stole $6 million from its protocol.
- It’s been claimed that the hacker sent Tornado Cash ether valued at $1.5 million.
LendHub, a DeFi lender, reported on Friday that an attack cost it $6 million in crypto assets. LendHub reported that the assault happened on January 12. The DeFi lender also mentioned that it had been in touch with cryptocurrency exchanges and blockchain security companies to help find the stolen cryptocurrency.
According to on-chain statistics, the hacker’s wallet address withdrew 100 ether ($134,000) from the authorized cryptocurrency mixer Tornado Cash. The attacker then launched an assault on the protocol by bridging these funds to the LendHub platform and focusing on a crucial vulnerability that the team had not yet patched.
According to blockchain security company SlowMist, this flaw entailed the existence of two IBSV ctokens on the platform, one of which had been swapped out for the other. However, the previous one was not removed from LendHub’s protocol. Due to the difference in asset pricing between the two tokens on the lending platform, this led to a vulnerability. The SlowMist team stated:
“Exploiting this vulnerability, the attackers were able to manipulate the minting and redeeming process in the old market while borrowing in the new market, ultimately stealing significant protocol funds from the new market”
The attacker quickly started linking the money they had stolen from LendHub’s operating network, Heco, to other chains like Ethereum and Optimism. Several techniques were used to complete these cross-chain transfers, including Transit Swap and Multichain. As of the time of reporting, the hacker still has USDT and DAI stablecoins in his wallet worth around $2.6 million.
According to reports, the hacker has begun transferring some assets through the trusted cryptocurrency mixer Tornado Cash. As the “most secure decentralized lending platform” for cross-chain lending, LendHub promotes itself. It is based on the Huobi-developed Heco blockchain. LendHub announced that it would look into the incident in great detail.
A hacker stole $173,000 from Defrost Finance a few weeks ago. After the exploit, the value of the project’s native token substantially dropped. And just recently, a new scam in the cryptocurrency industry called “Address Poisononing” has started making the rounds. The address used in this scam may be eerily identical to your actual address.
