- The value of Gym Network drops after integrating new codes.
- The team is trying to come up with a recovery plan.
The Gym network that promises a “perfect workout for your tokens” has suffered a huge loss after adding new codes after completing two audits.
The new feature added led to a loss of $2.1 million, and therefore, the price of the network plummeted as well. The BSC-based yield aggregator, based on top of Alpaca Finance, presented a defenseless “Guarantee and Pool” highlight in its refreshed Single Pool Contract two days prior. The bug is due to the lack of caller verification, which is exploited to increase the balance without making any payment, stated Peckshield.
It allowed the hacker to build false deposits to the contract. They were processed even though the hacker was not spending any coins and could easily withdraw their balance. The attacker was funded via Tornado Cash, and their exploit contracts swapped the stolen GYMNET into a total of ~7.5k BNB.
2k BNB (~$570k) was sent to Tornado Cash, and 3k BNB (~$855k) remained on the exploiter’s BSC address. 2.5k BNB was swapped to 387 ETH (~$700k) and bridged to ETH address.
Soon after this, the Gym Network confirmed the hack and informed the users on their Telegram group, and promised to provide a recovery plan.