Users of Arbitrum-based decentralized finance (DeFi) project have become the subject of a 2 million USD exploit, leaving some with nothing in their accounts.
Hope Finance Twitter account had notified users of the scam on February 21st, after which, CertiK, a web3 security firm, had picked up on the incident and marked it in their Twitter account.
The details about project are difficult to attain, the platform’s Twitter account was launched in January 2023 and the outlined plans for an algorithmic stable coin, which adjust its supply to the proportional price of Ether, the Hope token (HOPE).
Shortly after the platform went live on February 20th, a Nigerian national had performed a scam that transferred over 1.86 million USD to a Tornado Cash. Cointelegraph had been informed by team member of CertiK, that the scammer had redacted the smart contract details, that led to funds leaking from the Hope Finance genesis protocol:
It appears that the scammer changed the TradingHelper contract which meant that when 0x4481 calls OpenTrade on the GenesisRewardPool the funds are transferred to the scammer.
On February 13th, a tweet about the Hope Finance smart contract was audited by Cognitos official. The audit summary marked two major vulnerabilities in contract function.
The vulnerabilities included the possibility of reentrancy attacks and an incorrect modifier. Nonetheless, the smart contract had passed the audit successfully.
Shortly after the scam, Hope Finance shared the information on how to withdraw staged liquidity form the protocol by an emergency withdrawal function with their users
Arbitrum as well as Optimism are the 2 layer roll-up Ethereum networks, enabling exponential scaling of smart contracts. These two, layer-2 protocols, continue to handle the ever increasing amount of transactions inside the Ethereum ecosystem.