The exact sum of tokens that were stolen is still not known.
Decentralized proof-of-stake (PoS) blockchain Hedera finally confirmed a security breach. In an update, the team behind the platform revealed that attackers managed to exploit the Smart Contract Service code of the protocol’s mainnet to transfer Hedera Token Service tokens held by victims’ accounts to their own.
It said the root cause of the issue has been identified by the team, and are working on a solution.
Hedera further noted that the attackers targeted those accounts which were used as liquidity pools on multiple decentralized exchanges – including Pangolin, SaucerSwap, and HeliSwap – that utilize Uniswap v2-derived contract code ported over to use the Hedera Token Service to carry out the theft.
Hedera announced shutting down network services and initially cited experiencing “network irregularities” as a reason. In the latest confirmation thread posted by the platform, it said the mainnet proxies are still turned off to prevent the attacker from being able to steal more tokens, thereby removing user access to the mainnet. The team is currently working on a solution.
“Once the solution is ready, Hedera Council members will sign transactions to approve the deployment of updated code on mainnet to remove this vulnerability, at which point the mainnet proxies will be turned back on, allowing normal activity to resume.”
Several decentralized applications running on the network had previously flagged suspicious activity. Hedera-based cross-chain solution, Hashport bridge, became the first entity to freeze bridged assets after detecting smart contract irregularities earlier this week.
So far, the Hedera Token Service (HTS) and Hedera Consensus Service (HCS) have been affected by the exploit.
DeFi research firm, Ignas said the exploit is targeting the “decompiling process in smart contracts.” Several Hedera-based decentralized exchanges, on the other hand, advised users to withdraw their funds. But later, SaucerSwap confirmed it was unaffected by the exploit and asked users to not withdraw liquidity from the platform.
However, Pangolin’s chief Justin Trollip stated that the decentralized exchange was drained of $20,000, in addition to $2,000 from HeliSwap. Hours later, he received information suggesting that an additional 100k was stolen. The attackers failed to move their funds off Hedera since they no longer had access to paused Hashport tokens. Their exit plan to Ethereum was also compromised, thanks to the teams’ joint efforts.
However, the attackers then started attempting to move their funds to ChangeNow.io and Godex.io. According to Trollip, a team member has reportedly reached out to the centralized crypto exchanges to halt the activity, and authorities have been alerted.
Following the incident, the total value locked (TVL) is dropping rapidly. According to data compiled by DefiLlama, Hedera’s TVL fell to $24.59 million, down by more than 16% over the past 24 hours.
Hedera’s native token, HBAR, also suffered over 7% losses and was currently trading at $0.057.