Hedgey Finance Hack Analysis

Overview:

On April 19, 2024, Hedgey Finance suffered an attack due to a business logic issue, leading to a total loss of over 45M USD.

Smart Contract Hack Overview:

• Attacker address: 0xDed2b1
• Attack Contract: 0xC79311
• Vulnerable Contract: 0xBc452f
• Attack Transaction: 0x2606d4

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

• The vulnerability occurs during the campaign creation and cancellation process within a smart contract.
• Upon campaign creation, locked tokens are transferred to a contract, with allowance granted to the user.
• However, upon cancellation, the contract fails to revoke the allowance for the campaign manager.
• Despite claiming to prevent additional token claims in the contract logic, allowance revocation isn’t addressed from the token’s perspective.
• Exploiter utilizes a flash loan to receive $1.3M USDC and creates a campaign, then cancels it to receive locked funds.
• The exploit contract then drains the $1.3M USDC by transferring it from the ClaimCampaigns contract using the allowance previously granted.

Fig: The root cause of the vulnerability

Mitigation and Best Practices:

• Ensure that allowances granted to contracts are properly revoked when they are no longer needed. After the campaign is canceled and funds are withdrawn, the allowance from the ClaimCampaigns contract to the campaign manager should be revoked immediately.
• Always validate your code by writing comprehensive test cases that cover all the possible business logic.
• To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
• Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan

Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord