Defi Protocol Hacker Returns $1.6M Following Chainlink Oracle Glitch
- March 10, 2023
- No Comment
Despite depositing just one $70 GMX token, the hacker was able to borrow $1.6 million in liquidity.
Logo for Consensus 2023
The most important conversation in crypto and Web3 will take place in Austin, Texas, April 26-28.
Seats are limited
The hacker who targeted the DeFi protocol Tender.fi returned $1.6 million, receiving instead 62.15 ether ($85,000) as a bug bounty.
After modifying the price feed to relay data from a Chainlink pricing oracle instead of a time-weighted average price (TWAP), the attack occurred. A number with too many zeros was returned by the code, which was audited by PeckShield. According to a postmortem published on Tender.fi’s Medium page, the attacker was able to deposit one GMX token, worth around $70, tricking the system into allowing infinite borrowing.
It appears your Oracle was misconfigured. Please contact me to resolve this.” The hacker left an on-chain message after extracting $1.6 million from the protocol.
The white hat hacker was paid 62.15 ether as a bug bounty by tender.fi.
Prior to unpausing borrowing, the protocol intends to deploy a new rewritten Oracle contract. It also plans to repay any unpaid debts left behind by the hacker.
In the past 24-hours, TND has risen by 2.37% against its ethereum pair, but remains down by 7.62% against its U.S. dollar pair following a crypto market rout.