The crypto industry gets hit with yet another hack.
On April 4th, lending protocol Sentiment appears to have fallen victim to a security breach, leading to the loss of more than $500,000 in cryptocurrency.
The exploit, which involved the transfer of 536,738.410031 USD Coin (USDC) from the Synapse Bridge, can be traced back to a series of Arbitrum transactions that drained funds from Sentiment.
Did you know?
Subscribe - We publish new crypto explainer videos every week!
What is a Liquidity Pool in Crypto? (Animated)
Arbiscan has identified the wallet responsible for the attack as "Sentimentxyz Exploiter."
Following the news about a possible exploit, Sentiment took to Twitter to confirm that the company was aware of the hack.
The Sentiment team has recently been made aware of a potential issue concerning the Sentiment protocol. We are actively looking into the situation and will provide additional information momentarily.
Twitter users, dubbed Officer's Notes and FrankResearcher, have suggested the possibility of a reentrancy attack.
Almost ten hours after the initial message, the Sentiment shared a Twitter thread revealing the steps it took to fix any vulnerabilities and investigate the exploit. Sentiment claimed that although the company shortly "paused Sentiment's main contract," its customers can now "repay debts and unwind their positions."
On top of that, the firm highlighted that it will continue to work with "law enforcement and close contributors to identify the hacker."
It is believed that the attacker might have gained access to the protocol's deployer key. Initially, the attacker deployed a contract on the Arbitrum network and subsequently called the "run" function on the contract.
This initial attempt failed, resulting in a "Fail with error 'BAL#420" message. The attacker then successfully executed the "self-destruct" function on the contract, erasing its code from the blockchain.
The attacker proceeded to redeploy the contract and call the "run" function again. This time, the function call succeeded, causing the contract to carry out multiple transactions. One of these transactions modified the admin settings for a BeaconProxy contract.
After the contract upgrade, the malicious smart contract granted the attacker permission to transfer various tokens, resulting in a significant loss for the protocol. The stolen funds were exchanged and moved via the Synapse bridge to the Ethereum network.
Upon completing these transactions, the attacker once again destroyed the contract code.