It seems that Web3 can’t take a break. From ongoing dramas, lawsuits, and major crypto scams, to now having a smart contract exploitation scheme. Smart contract exploitation is not new to the Web3 space. In fact, many scams get embedded within a smart contract that traders seem to miss or overlook. It is important to learn how to read a smart contract in this digital age, as the new iteration of the internet takes place. Or else, network exploitation will keep happening.
The firm behind the distributed ledger Hedera Hashgraph has recently been under a smart contract attack that led to the theft of several liquidity pool tokens.
Hedera Smart Contract Exploit
Hedera Hashgraph is an open-source, decentralized proof-of-stake public ledger that was introduced as an alternative to regular blockchains, as it provides faster transaction times and lower fees. The Hedera Token Service (HTS) allows the configuration and transfer of native tokens on the public Hedera network. Last year, Hedera upgraded its network to include Hedera smart contract service. The service converts Ethereum Virtual Machine (EVM) compatible smart contracts onto the Hedera HTS.
However, in a Twitter announcement on March 10, the Hedera team revealed a smart contract exploit to its mainnet that resulted in the loss of several service tokens. According to the Twitter post, the attacker targeted liquidity pools on Decentralized Exchange platforms (DEX) such as Saucer Swap Labs and Heli Swap, which use the code from Uniswap v2.
Today, attackers exploited the Smart Contract Service code of the Hedera mainnet to transfer Hedera Token Service tokens held by victims’ accounts to their own account. (1/6)
— Hedera (@hedera) March 10, 2023
The Twitter thread continues to state that the exploitation was detected when the attacker tried to move the stolen tokens across the Hedera bridge. Which made the Hedera team stop any bridge activities temporarily.
The DEX Saucer Labs believes that the attacks were targetting the decompiling process in smart contracts. Which were a result of the Hedera smart contract service upgrade. However, the Hedera team did not confirm this claim and stated that “The team has identified the root cause of the issue and is working on a solution”.
🚨An ongoing exploit have hit the Hedera network this morning. The exploit is targeting the decompiling process in smart contracts. At time of writing attackers have hit Pangolin and HeliSwap pools containing wrapped assets. We are unsure if other HTS tokens are at risk too.
— SaucerSwap Labs 🧪 (@SaucerSwapLabs) March 9, 2023
Hedera took a step further to stop the attacker from further stealing by shutting down the mainnet IP proxies. This will remove users’ access to the network. “Once the solution is ready, Hedera Council members will sign transactions to approve the deployment of updated code on mainnet to remove this vulnerability, at which point the mainnet proxies will be turned back on, allowing normal activity to resume”, Hedera stated.
After shutting down the server’s proxies, the Hedera team urged their users and token holders to check their balances and the Ethereum Virtual Machine (EVM) address “for their own comfort”.
Per CoinGecko’s chart, the native token Hedera has fallen around 8% since the Hedera smart contract exploit. The reason for this fall must be attributed to token holders rushing to withdraw their funds before further exploitation takes place. In addition, the total value locked TVL on the DEX SaucerSwap fell nearly 30% over the same period.
The Hedera smart contract exploitation’s timing was significantly off for the platform. It spoiled the news of Hedera mainnet surpassing 5 billion transactions on March 9.
Are Smart Contracts That Vulnerable?
Although smart contracts are prone to logical errors such as typographical errors, misinterpretation of specifications, and other serious programming errors that might affect the security of smart contracts, they are generally secure against outside attacks. However, these types of errors might lead to smart contract vulnerabilities. Or, might create a point of attack that a scammer can use for their benefit.
In Hedera’s smart contract exploit, the breach might’ve happened because of a vulnerability in the upgrade. The reality of Web3 is still in its early stages. We might see an influx of security measures and developments following the numerous scams and attacks we’re witnessing.