Sentiment, an undercollateralized lending protocol, seems to have been exploited on April 4 for over $500,000 in crypto. Ethereum blockchain knowledge exhibits a transaction that transferred 536,738.410031 USD Coin (USDC) from the Synapse Bridge, and this hyperlinks up with a collection of Arbitrum transactions draining cash from Sentiment.
The pockets performing the assault has been labeled “Sentimentxyz Exploiter” by Arbiscan, and the Sentiment workforce has introduced on Twitter that they’re conscious of a “potential problem” with the protocol.
The Sentiment workforce has not too long ago been made conscious of a possible problem regarding the Sentiment protocol. We’re actively wanting into the state of affairs and can present further info momentarily.
— Sentiment (@sentimentxyz) April 4, 2023
Twitter consumer Officer’s Notes has recommended that this can be a reentrancy assault. The consumer relied on analysis accomplished by Twitter consumer FrankResearcher to come back to this conclusion.
The Sentiment workforce has not but acknowledged what steps are being carried out to cease the assault or what customers ought to do to mitigate threat.
Additional investigation reveals that the attacker might have stolen the protocol’s deployer key. The attacker started by deploying a contract to the Arbitrum community on the following deal with: 0xa4d063b9468b93aee2a87ec7072c3dabd5ee5968.
They then referred to as the “run” operate on this contract a minute later. Nevertheless, this function-call failed, producing a “Fail with error ‘BAL#420” response. The attacker responded by calling the “self-destruct” operate on the contract, which succeeded. This erased the entire contract’s code from the blockchain.
After destroying this contract, the attacker redeployed on the following deal with: 0x9f626F5941FAfe0A5b839907d77fbBD5d0deA9D0.
They then referred to as the “run” operate as soon as once more. This time, it succeeded, inflicting the contract to carry out a number of transactions. One in all these transactions modified the admin for a BeaconProxy contract situated at deal with 0xdf346f8d160424c79cb8e8b49b13dd0ca61c3b8c.
And one other transaction upgraded the contract:
This means that the assault might have been the results of a stolen deployer key.
After the contract was upgraded, the malicious sensible contract accredited the attacker to switch varied tokens, ensuing within the lack of funds to the protocol. These funds had been then swapped and moved by the Synapse bridge to the Ethereum community.
As soon as these transactions had been accomplished, the attacker as soon as once more destroyed the contract code.
