How Someone Borrowed $1.6M With $70 Worth of Collateral: The Tender.Fi Exploit

0



The hacker who stole $1.59 million worth of crypto assets from Arbitrum-based decentralized finance (DeFi) lending platform Tender.fi has returned nearly all the funds, keeping roughly $97,000 as a bounty reward.

Tender.fi was exploited on the morning of March 7, with the project’s official Twitter handle confirming the incident in a tweet a few minutes later.

Tender.fi Exploited for $1.59 Million

According to the tweet, Tender.fi disclosed that it had noticed and was looking into an “unusual amount” of loans. The platform also paused its lending service during the investigation.

On-chain data showed that the attacker exploited an oracle glitch. The bug allowed the hacker to borrow up to $1.59 million in ether (ETH) tokens with a deposit of one GMX token worth $71 as collateral.

After the exploit, the hacker left an on-chain message for Tender.fi, saying, “It looks like your oracle was misconfigured. contact me to sort this out.” This shows that the exploiter is a white hat hacker.

A few hours later, Tender.fi disclosed that it had contacted the attacker to negotiate and discuss the terms of a bounty agreement.

“The whitehat has made contact over debank and we are currently in discussions on how to remedy this situation. We will update you with more information when we have it,” the protocol said.

Hacker Keeps $97k as Bounty

Seven hours later, the protocol revealed that it had agreed with the hacker and the funds would be returned.

About an hour later, the hacker returned $1.49 million and kept $96,500 as a bounty. Both Tender.fi and blockchain security firm PeckShield confirmed the transaction.

SPECIAL OFFER (Sponsored)
Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).

PrimeXBT Special Offer: Use this link to register & enter POTATO50 code to receive up to $7,000 on your deposits.



Source link

You might also like
Leave A Reply

Your email address will not be published.