Almost $500,000 was made off Sentiment liquidity protocolAlmost $500,000 was made off Sentiment liquidity protocolSentiment, a mechanism for uncollateralized lending, seems to have been abused for over $500,000 in cryptocurrency on April 4. The blockchain data of Ethereum reveals a transfer of 536,740,410031 USD in currency USDC from the Synapse Bridge, and this is connected to a sequence of arbitrum transactions that drain currency from the Sentiment protocol.

The wallet launching the assault has been named “Sentimentxyz Exploiter” by Arbiscan, and the Sentiment team has notified Twitter that it is aware of a “possible fault” with the protocol.

This may be a reentry attack, according to the Twitter user Officer’s Notes. The user reached this conclusion based on research conducted by Twitter user FrankResearcher.

The Sentiment team has not yet disclosed what measures are being taken to halt the assault or what users may do to limit risk.

According to further study, the attacker may have obtained the deployer key for the protocol. The attacker deployed a contract to the Arbitrum network at address 0xa4d063b9468b93aee2a87ec7072c3ab5e5968.

One minute later, the “run” function of this contract was invoked. This function call failed, returning “Fail with error ‘BAL#420.” The attacker retaliated by successfully using the “self-destruct” mechanism of the contract. This obliterated the contract’s whole code from the blockchain.

After deleting this contract, the adversary redeployed at 0x9f626F5941FAfe0A5b839907d77fbBD5a0deA9D0.

Admin for the BeaconProxy being changed. Source: Arbitrum blockchain data

And another transaction upgraded the contract:

BeaconProxy being upgraded. Source: Arbitrum blockchain data

They then used the “run” function again. This time, it was successful, resulting in the contract carrying out many transactions. One of these transactions modified the administrator for a BeaconProxy contract stored at 0xdf346f8d160424c79cb8e8b49b13dd0ca61d3b8c.

This suggests that the assault may have included a stolen deployer key.

As the contract was updated, the malicious smart contract allowed the attacker to move a variety of tokens, resulting in the protocol’s loss of money. Next, these assets were exchanged and transferred to the Ethereum network using the Synapse bridge.

After these transactions had been executed, the attacker deleted the contract code once again.

The smart contract used in the attack, after being self-destructed. Source: Arbitrum blockchain data

Almost $500,000 was made off Sentiment liquidity protocol

Newsletter

Blog Posts

Cardano’s P2P Evolution Nears With Genesis Rollout

Vitalik Buterin Defends Ethereum’s PoS Transition

Wormhole Price Soars 15% with W Token Launch

Recent Posts