Despite depositing just one $70 GMX token, the hacker was able to borrow $1.6 million in liquidity.

Logo for Consensus 2023

The most important conversation in crypto and Web3 will take place in Austin, Texas, April 26-28.

Seats are limited

The hacker who targeted the DeFi protocol Tender.fi returned $1.6 million, receiving instead 62.15 ether ($85,000) as a bug bounty.

After modifying the price feed to relay data from a Chainlink pricing oracle instead of a time-weighted average price (TWAP), the attack occurred. A number with too many zeros was returned by the code, which was audited by PeckShield. According to a postmortem published on Tender.fi’s Medium page, the attacker was able to deposit one GMX token, worth around $70, tricking the system into allowing infinite borrowing.

It appears your Oracle was misconfigured. Please contact me to resolve this.” The hacker left an on-chain message after extracting $1.6 million from the protocol.

The white hat hacker was paid 62.15 ether as a bug bounty by tender.fi.

Prior to unpausing borrowing, the protocol intends to deploy a new rewritten Oracle contract. It also plans to repay any unpaid debts left behind by the hacker.

In the past 24-hours, TND has risen by 2.37% against its ethereum pair, but remains down by 7.62% against its U.S. dollar pair following a crypto market rout.