Sentiment, an undercollateralized lending protocol, seems to have been exploited on April 4 for over $500,000 in crypto. Ethereum blockchain knowledge reveals a transaction that transferred 536,738.410031 USD Coin (USDC) from the Synapse Bridge, and this hyperlinks up with a sequence of Arbitrum transactions draining cash from the Sentiment protocol.
The pockets performing the assault has been labeled “Sentimentxyz Exploiter” by Arbiscan, and the Sentiment crew has introduced on Twitter that they’re conscious of a “potential concern” with the protocol.
The Sentiment crew has just lately been made conscious of a possible concern regarding the Sentiment protocol. We’re actively wanting into the scenario and can present further info momentarily.
— Sentiment (@sentimentxyz) April 4, 2023
Twitter consumer Officer’s Notes has suggested that this can be a reentrancy assault. The consumer relied on analysis accomplished by Twitter consumer FrankResearcher to return to this conclusion.
The Sentiment crew has not but said what steps are being carried out to cease the assault or what customers ought to do to mitigate danger.
Additional investigation reveals that the attacker might have stolen the protocol’s deployer key. The attacker started by deploying a contract to the Arbitrum community on the following deal with: 0xa4d063b9468b93aee2a87ec7072c3dabd5ee5968.
They then known as the “run” perform on this contract a minute later. Nonetheless, this function-call failed, producing a “Fail with error ‘BAL#420” response. The attacker responded by calling the “self-destruct” perform on the contract, which succeeded. This erased the entire contract’s code from the blockchain.
After destroying this contract, the attacker redeployed on the following deal with: 0x9f626F5941FAfe0A5b839907d77fbBD5d0deA9D0.
They then known as the “run” perform as soon as once more. This time, it succeeded, inflicting the contract to carry out a number of transactions. One in every of these transactions modified the admin for a BeaconProxy contract situated at deal with 0xdf346f8d160424c79cb8e8b49b13dd0ca61c3b8c.
And one other transaction upgraded the contract:
This means that the assault might have been the results of a stolen deployer key.
After the contract was upgraded, the malicious good contract permitted the attacker to switch varied tokens, ensuing within the lack of funds to the protocol. These funds had been then swapped and moved via the Synapse bridge to the Ethereum community.
As soon as these transactions had been accomplished, the attacker as soon as once more destroyed the contract code.